More and more users are buying easier to use internet-connected devices and apps that control them. The increase in popularity of Internet of Things (IoT) devices are a prime target for attackers given the security issues that often come with them.
Researchers from Trend Micro wrote a fascinating in-depth report on just how hackers could exploit one type of IoT device, internet connected speakers. Such attacks could in turn expose other sensitive devices and personal data on home or enterprise networks.
For the primary case study, titled ‘The Sound of a Targeted Attack‘, the researchers examined Sonos Play:1 and also looked into the Bose SoundTouch. Security issues were reported to both Sonos and Bose. Sonos addressed the security issues shortly after they were reported, while the Trend Micro team was still waiting to hear back from Bose.
A summary of the Sonos findings included a simple open port that gave anyone on the internet access to the device and user information.
According to Trend Micro, a user could connect to a built in Sonos website, with no authentication, which “allows you to see information about the tracks currently being played, what music libraries it knows about, what devices have ever connected to it to control it, and down to personal information such as emails associated with specific audio streaming services like Spotify.”
In addition to list of connected devices, the site also lists out any shared folders that may be exposed on the same network as the Sonos device. Attackers could use this information to gather more information on connected devices to exploit vulnerabilities or steal personal data.
Another plausible scenario would be attackers could use such information to pivot from the user’s home network to enterprise networks in the future.
Finally, researchers used the Shodan search engine tool for IoT to discover internet connected Sonos devices and found nearly 5,000 devices directly exposed to the public over port 1400.
They even coded a small script to parse out unique emails, 1,293 emails of which 727 were unique, from the accounts page. These emails could be used to query hacker databases to see which ones have already been pawned from previous data breaches and used for future attacks.