making it work with TUN device is a nightmare.ģ) Sonos controller must be connected to a wifi network to function properly, so you'll have to use public / private wifi or wifi hotspot on some other device in conjunction with VPN it doable, though.Ģ) The most obvious setup - OpenVPN with 'tap' device won't fly. Required plugins: dhcp (for getting an IP address from your home router), farp (for proxying ARP to make it look like device is on the same network), forecast (for broadcast / multicast forwarding)ġ) You don't have to join the same network but having your controller on a separate network will complicate the setup even more. Raspberry PI is cheap, small and has no fansĢ) StrongSwan software on the server side for L2TP VPN connection. The idea is to get it on the same network as your Sonos devices and make multicast and broadcast work.ġ) raspberry pi or any linux device you're willing to use as a VPN gateway. And if they do, they should at least keep an ear out for any evil commands their Sonos might be whispering to their Echo after dark.After playing with it for a little while I made it work with L2TP IKEv2 VPN setup. But it does mean owners of internet-connected speakers should think twice about opening holes in their network designed to let external visitors into other servers. None of this adds up to much of a critical security threat for the average audiophile. We do not recommend this type of set-up for our customers." Bose has yet responded to WIRED's request for comment on Trend Micro's research. A Sonos spokesperson wrote in response to an inquiry from WIRED that the company is "looking into this more, but what you are referencing is a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network. But Bose has yet to respond to Trend Micro's warnings about its security vulnerabilities, and both companies' speakers remain vulnerable to the audio API attack when their speakers are left accessible on the internet. In testing devices running an older version of Sonos software, they even found that they could identify more detailed information, like the IP addresses and device IDs of gadgets that had connected to the speaker.Īfter Trend Micro warned Sonos about its findings, the company pushed out an update to reduce that information leakage. "It's starting to freak me out and I don't know how to stop it." She eventually resorted to unplugging the speaker.īeyond merely playing sounds through a victim's device, a hacker could also determine information like what file a vulnerable speaker is currently playing, the name of someone's accounts on services like Spotify and Pandora, and the name of their Wi-Fi network. The company's researchers point to one posting from a customer on a Sonos forum who reported earlier this year that her speaker had begun randomly playing sounds like door creaks, baby cries, and glass breaking. And the audio-hacker haunting Trend Micro warns about may have already actually happened in the wild. Given the complexity of those voice assistant attacks, however, pranks are far more likely. 'Anyone can go in and start controlling your speaker sounds.' "Anyone can go in and start controlling your speaker sounds," if you have a compromised devices, or even just a carelessly configured network. "The unfortunate reality is that these devices assume the network they're sitting on is trusted, and we all should know better than that at this point," says Mark Nunnikhoven, a Trend Micro research director. But the researchers warn that anyone with a compromised device on their home network, or who has opened up their network to provide direct access to a server they're running to the external internet-say, to host a game server or share files-has potentially left their fancy speakers vulnerable to an epic aural prank. Only a small fraction of the total number of Bose and Sonos speakers were found to be accessible in their scans. Researchers at Trend Micro have found that some models of Sonos and Bose speakers-including the Sonos Play:1, the newer Sonos One, and Bose SoundTouch systems-can be pinpointed online with simple internet scans, accessed remotely, and then commandeered with straightforward tricks to play any audio file that a hacker chooses. Instead, if you own one of a few models of internet-connected speaker and you've been careless with your network settings, you might be one of thousands of people whose Sonos or Bose devices have been left wide open to audio hijacking by hackers around the world. If so, you haven't necessarily lost your mind. Perhaps you've been hearing strange sounds in your home-ghostly creaks and moans, random Rick Astley tunes, Alexa commands issued in someone else's voice.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |