Skip to main content
  1. Home
  2. Audio / Video
  3. News

A major Sonos exploit was explained at Black Hat — but you needn’t worry

Add as a preferred source on Google
A Sonos One speaker sitting on an outdoor table.
This aging Sonos One looks like it's seen a thing or two — but it's also continued to see security updates. Phil Nickinson / Digital Trends

Hardware exploits, in a very oversimplified sense, can be broken down into two categories: Those you should care about, and those you shouldn’t. And this one firmly sits in the category of exploits that you really need not lose sleep over. But given that it involves Sonos — and because Sonos has rightly been the subject of less-than-positive headlines of late — it’s at least worth discussing.

So here’s the deal: A presentation by NCC Group’s Robert Herrera and Alex Plaskett at the August Black Hat USA 2024 conference in Las Vegas showed how a Sonos One could be exploited to allow an attacker to capture audio in real time off the device, thanks to a kernel vulnerability initiated by a flaw in the Wi-Fi stack. That, obviously, is not good. The Sonos One was the first speaker from the company to use a microphone to allow for hands-free voice control.

Recommended Videos

When the Sonos One connects to a router, there’s a handshake that happens before you can send wireless traffic, Herrera explained in an interview with Dark Reading. One of the packets exchanged was not properly validated, and that vulnerability is how an attacker could force their way into the device, and from there access the microphones.

“We deploy a method of capturing all the audio data — all the microphone input in the room, in the vicinity of this Sonos device,” Plaskett told Dark Reading ahead of his and Herrera’s presentation. An attacker is then “able to exfiltrate that data and play it back at a later date, and be able to play back all the recorded conversations from the room.”

It’s a real-time thing, though. The attacker couldn’t hear what was said before the exploit was leveraged. “You would need to exploit the Sonos device first to start the capture,” Plasket said. “And then once you start the capture, you only … have the data from within that period.”

But the proof of concept shown was not easy to implement and not the sort of thing you’d be able to do without actually being nearby someone’s Sonos One. (Other devices could be at risk, Plaskett and Herrera said, but that was more a function of the Wi-Fi flaw.)

“If an attacker goes to that kind of extent, they could compromise the devices,” Plaskett said. “And I think people have been assuming that these devices may be secure. So being able to kind of quantify the amount of effort and what an attacker would need to actually achieve the compromise is quite an important understanding.”

Perhaps most important is that the exploit was fixed within a couple months of being reported, with an update to the Sonos S2 system coming in October 2023, and an S1 update about a month later. Sonos publicly acknowledged the remote code execution vulnerability in a bulletin — again, nearly a year after actually patching its own devices — on August 1, 2024. MediaTek — whose Wi-Fi stack was the root problem here — issued its own security advisory in March 2024.

“The security posture of Sonos devices is a good standard. It’s been evolving over time,” Plaskett said. “Every vendor has vulnerabilities, and basically, it’s about how you respond to those vulnerabilities. How you patch those vulnerabilities. Sonos fixed these vulnerabilities within two months. … Yeah, it’s a good patching process, I would say.”

Phil Nickinson
Former Section Editor, Audio/Video
Phil spent the 2000s making newspapers with the Pensacola (Fla.) News Journal, the 2010s with Android Central and then the…
Google Home Speaker (2026) review: Smarter and punchier, with a subscription pinch
Google's latest smart speaker pairs Gemini with better sound and deeper smart home integration. What's not to love without spending over a $100?
Sphere, Body Part, Finger

View at Amazon

Quick Recap

Read more
Razer dressed its gaming earbuds for PS5 and Xbox, then priced them surprisingly well
Razer's Hammerhead V3 X HyperSpeed now looks loyal to Xbox and PlayStation. But one pair cheats.
Razer Hammerhead V3 X HyperSpeed for PlayStation

Razer has refreshed the design of its affordable gaming earbuds in Xbox green and PlayStation white. Beneath the matching colors, however, one version has a compatibility advantage. The Razer Hammerhead V3 X HyperSpeed for Xbox and Hammerhead V3 X HyperSpeed for PlayStation are available now for $99.99 each, matching the price of the existing standard model.

The PlayStation edition combines white earbuds with blue Razer logos and a PS-branded case, while the Xbox model uses black earbuds, green logos, and a bright green case interior.

Read more
Your next song could soon carry an AI warning label, and the music industry is all for it
AI isn't the problem anymore. Knowing it's AI is.
AI tag imagined with AI

The music industry's battle with artificial intelligence is entering a new phase. After spending the past two years fighting AI companies in court and pushing back against unauthorized training on copyrighted music, record labels are now turning their attention to something far simpler: transparency. A coalition representing major record labels, artists, and music organizations wants streaming services such as Spotify and Apple Music to clearly tell listeners when a song has been created with artificial intelligence.

The proposal, first reported by The Wall Street Journal, comes as AI-generated music becomes increasingly difficult to distinguish from songs created by human artists. Rather than banning AI music altogether, the industry is arguing that listeners deserve to know what they're hearing before they hit play.

Read more