Why The Wireless Speaker Hack Story Is A Non Story

There’s a story that is making the rounds from Wired that will be of interest to those who own Bose or Sonos wireless speakers:

Researchers at Trend Micro have found that some models of Sonos and Bose speakers—including the Sonos Play:1, the newer Sonos One, and Bose SoundTouch systems—can be pinpointed online with simple internet scans, accessed remotely, and then commandeered with straightforward tricks to play any audio file that a hacker chooses. Only a small fraction of the total number of Bose and Sonos speakers were found to be accessible in their scans. But the researchers warn that anyone with a compromised device on their home network, or who has opened up their network to provide direct access to a server they’re running to the external internet—say, to host a game server or share files—has potentially left their fancy speakers vulnerable to an epic aural prank.

While this isn’t epic pwnage on the scale of an Equifax or someting, this sounds pretty dire. Speakers that can be pwned from the Internet? Scary right?

Actually no.

The problem with this story is this. The key point is in red:

But the researchers warn that anyone with a compromised device on their home network, or who has opened up their network to provide direct access to a server they’re running to the external internet—say, to host a game server or share files—has potentially left their fancy speakers vulnerable to an epic aural prank.

So, part of the way to pull off this hack is to have your network in whole (which would be dumb) or in part (which would be a questionable idea at best) to be exposed to the Internet. While there are likely things that both Sonos and Bose can do to tighten things up when it comes to their wireless speakers, they are not the problem here. Besides, having a network that is open in whole or in part to the outside world potentially exposes everything on that network to pwnage. Thus this isn’t a story about a vulnerability in wireless speakers. It’s a story about people doing dumb things when it comes to network security. That’s why this story is a non story.

Bottom line: Nothing to see here. Move along.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: