Time and again over the course of 2017, security researchers have looked for and found security flaws in internet of things connected devices. The latest such research was reported on Dec. 27 by Trend Micro, which found multiple flaws in connected home speakers from Sonos and Bose.
Details on the flaws are discussed by Trend Micro in a 47-page report titled “The Sound of a Targeted Attack,” which also provides insight into how attackers can use the vulnerabilities to exploit users. The impacted systems include the Sonos Play:1, Sonos One and Bose SoundTouch systems.
“With the popularity of IoT devices growing every day, it is very important to be knowledgeable of the built-in security of these devices that ultimately could affect the owner and make them a target of an attack,” Stephen Hilt, senior threat researcher at Trend Micro, wrote in the report. “While this research focused on Sonos speakers, we do not at all want to single them out as the only IoT device with security issues on the market today.”
Sonos has already responded to Trend Micro about the findings and has issued an update for its users. According to Trend Micro, the company also reached out to Bose but has not yet received a response to its findings. The Sonos flaws, in particular, could have enabled an attacker to gain information about Sonos users as well as potentially enabling limited control of a device to play songs. Trend Micro also found that there was an unauthenticated status site page being served by Sonos devices.
“This site, with no authentication, allows you to see information about the tracks currently being played, what music libraries it knows about, what devices have ever connected to it to control it, and down to personal information such as emails associated with specific audio streaming services like Spotify,” the report stated.
The Trend Micro researchers noted in the report that they could take the user information found on the status site pages and cross-reference it with breached account database services to find associated usernames and passwords.
In addition, there was functionality on the Sonos devices that could have enabled an unauthenticated remote attacker to “ping,” or query, the network the device was attached to in order to find other devices. Using a weak device to pivot and attack other devices in a network is a common attack technique. As such, even though simply getting access to a vulnerable Sonos device might initially just seem like a nuisance type of attack, there is the potential that the vulnerable device could become a launching point for a wider, more invasive attack.
Trend Micro reported that when it first conducted the research, it used the shodan.io search tool to find approximately 5,000 Sonos devices that were connected to the public internet and potentially at risk. On Dec. 28, eWEEK conducted a Shodan search with the same parameters and found 2,289 potentially exposed Sonos devices.
The root cause of the vulnerability in the Sonos speakers is an unauthenticated SOAP (Simple Object Access Protocol) XML interface that leads to information leakage. SOAP is a remote produce call technology that gives access into a given interface or device.
“While these devices are never supposed to be exposed on the internet, we have shown that they can and will find their way directly on the internet,” Hilt wrote. “We believe that the manufacturers should do whatever they can to make sure that their devices are secured enough that if it is placed on the internet, the likelihood of attack is really low.”
Hilt also suggests that end users set up their Sonos systems on a secured internal network.
Fundamentally though, any time administrative or monitoring capabilities are available on a device, it should be protected, at the very least, with some form of basic authentication. What the new Trend Micro research reinforces is the notion that a motivated attacker can use even basic information to pivot into more meaningful attack vectors.
No doubt, there are still many other IoT devices with similar kinds of issues that could be exposing users to risk. The recommendation to put IoT devices on a separate secured network is a helpful one. That way, even if an attacker can get access to a vulnerable IoT device and then attempts to pivot to other devices or network assets, the attack surface may be reduced.
The simple and unfortunate truth of IoT connected devices is that they can represent a potential unauthorized entry point into a network, if not properly secured. If a device doesn’t need to be connected to the public internet, then perhaps it should only get access to the local network. By keeping IoT devices patched and segmented from other devices and networks, risk can be reduced, but not entirely eliminated.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.