Archive for Bose

Why The Wireless Speaker Hack Story Is A Non Story

Posted in Commentary with tags , , on December 28, 2017 by itnerd

There’s a story that is making the rounds from Wired that will be of interest to those who own Bose or Sonos wireless speakers:

Researchers at Trend Micro have found that some models of Sonos and Bose speakers—including the Sonos Play:1, the newer Sonos One, and Bose SoundTouch systems—can be pinpointed online with simple internet scans, accessed remotely, and then commandeered with straightforward tricks to play any audio file that a hacker chooses. Only a small fraction of the total number of Bose and Sonos speakers were found to be accessible in their scans. But the researchers warn that anyone with a compromised device on their home network, or who has opened up their network to provide direct access to a server they’re running to the external internet—say, to host a game server or share files—has potentially left their fancy speakers vulnerable to an epic aural prank.

While this isn’t epic pwnage on the scale of an Equifax or someting, this sounds pretty dire. Speakers that can be pwned from the Internet? Scary right?

Actually no.

The problem with this story is this. The key point is in red:

But the researchers warn that anyone with a compromised device on their home network, or who has opened up their network to provide direct access to a server they’re running to the external internet—say, to host a game server or share files—has potentially left their fancy speakers vulnerable to an epic aural prank.

So, part of the way to pull off this hack is to have your network in whole (which would be dumb) or in part (which would be a questionable idea at best) to be exposed to the Internet. While there are likely things that both Sonos and Bose can do to tighten things up when it comes to their wireless speakers, they are not the problem here. Besides, having a network that is open in whole or in part to the outside world potentially exposes everything on that network to pwnage. Thus this isn’t a story about a vulnerability in wireless speakers. It’s a story about people doing dumb things when it comes to network security. That’s why this story is a non story.

Bottom line: Nothing to see here. Move along.

Advertisements

Bose Gets Accused Of Spying On It’s Users

Posted in Commentary with tags , on April 20, 2017 by itnerd

A class action lawsuit has been filed after a owner of a pair Bose headphones allegedly discovered how much personal information that the Bose Connect app was sending to Bose. This allegedly included songs listened to, for how long, and when.

Court documents [Warning: PDF] state that Kyle Zak bought himself a pair of Bose QuietComfort 15 wireless headphones in March, and downloaded the Bose Connect smartphone app that allows the user to control the headsets from their phone. Bose’s app collects data on what kind of songs he was listening to, and for how long, along with a personal identifier code. The lawsuit says these records are routed to a data mining firm called Segment.io which advertises that it can “collect all of your customer data and send it anywhere.” The thing is, he never gave anyone permission to collect his data and send it anywhere. Plus he claims that he wouldn’t have bought these headsets had he known that Bose was doing this.

For giggles I borrowed a pair of Quiet Comfort 35 headsets and downloaded the Bose Connect App onto my iPhone and discovered that he might have a point. For example, you need to give the app access to GPS data which makes zero sense to to me seeing as you are listening to music which the last time I checked, didn’t require you to give out your location to do so. But the flipside to that is that there’s a section in the software detailing Bose’s privacy policy that clearly states that the app collects data and sends it to third parties. So perhaps this individual missed that part. But I am a computer nerd and not a lawyer.

Now none of this has been proven in court. But if it is, he wants $5 million in his bank account. Bose hasn’t commented, but I for one can’t wait to see what they come back with.