In a grim reminder of how security flaws in the latest connected devices compromise privacy of their owners, a team of researchers have uncovered security flaws in popular connected speakers like Sonos Play:1 and Bose SoundTouch speakers.
Security flaws in Sonos Play:1 and Bose SoundTouch connected speakers allowed hackers to remotely control them and to steal their owners’ email addresses and location details.
The security flaws uncovered in Sonos Play:1 and Bose SoundTouch connected speakers are different this time and much more worrying. While hacking into most connected devices requires hackers to gain physical access to a target device or to stay near it, the researchers at Trend Micro observed, much to their surprise, that they could gain remote access to these devices from any device with an Internet connection.
An open port in these two devices not only allowed the researchers to remotely access them but also allowed them to find out their locations as well as e-mail addresses of their owners that were linked to music streaming services synced with the devices.
By exploiting a vulnerable port, the researchers were able to play sounds remotely on a device, send customised phishing emails to the email address linked to the target’s music streaming account to compromise it, and determine where the target was located, or in other words, determine precisely where its owner lived.
‘After determining the location of the target, an attacker can monitor the presence data available from the device, such as the times when the speaker is activated and deactivated. The pattern can more or less tell the attacker when the target is awake, asleep, or even when the target is not around,’ they noted.
They added that attackers could add personalised details to pre-recorded messages sent to these devices and as such, posed great risk to businesses that used internet-connected speakers or have Bring Your Own Device (BYOD) programs.
‘As the production and consumption of IoT devices increase, the lack of built-in security becomes more and more of an issue. With all these devices connected to each other via networks and the internet, it could take just one security gap to compromise a user – or an entire network,’ they warned.
During the course of their research, they also observed that as many as 4,000 to 5,000 Sonos speakers featured the particular vulnerability. Here’s a quote from the researchers that sums up their findings and contains advice on what manufacturers must do to secure connected devices and to protect user privacy:
‘While IoT devices are connected to the internet, they should never be exposed. In the case of the test device, manufacturers should make sure that ports connecting to the devices cannot be accessed directly from the internet. Manufacturers should also secure data that’s being stored or compiled by these IoT devices and conduct security audits — including regularly reading public forums discussing their products.
‘At the same time, consumers and enterprise IT administrators should not rely entirely on manufacturers to do all the heavy lifting. Users should check their routers for rules that might provide outside access to devices and folders on the network. If access is needed, it should be limited to as few devices as possible. They should enable password protection on all devices if possible and replace default passwords immediately with stronger ones.’
Since all IoT devices are connected to centralised networks from where they receive software updates and new features, hackers have started creating specialised botnets which can bring down entire IoT networks, thereby affecting thousands of users in one go.
Back in December, security researcher Li Fengpei identified a malicious botnet named Satori which impacted as many as 280,000 different IPs within a span of 12 hours. The botnet attacked vulnerable ports used by millions of IoT devices and used compromised devices to launch fresh attacks.
‘With every element of the IoT being connected, the knock-on effect of one device being hit by some form of cyber-attack has the power to, almost instantly, cripple millions of others.
‘In order to work towards stamping-out the huge threat to the IoT landscape, more cohesive security strategies need to be considered, with consumers being made aware of the wider ecosystem they’re signing up to, the potential risks associated with this, and how best to isolate them,’ said Rodney Joffe, SVP and Fellow at Neustar.