Hackers could hijack internet-connected speakers to remotely play whatever they want

Hackers are able to hijack several popular models of internet-connected speakers, including some devices sold by audio technology giants Bose and Sonos, to remotely control the music you hear in your home, according to research by Japanese cybersecurity company TrendMicro.

The findings provide broad insight into the state of security behind some internet-connected audio devices.

According to researchers, at least two popular speaker models — the Sonos Play:1 and Bose SoundTouch — could be detected online with a simple internet scanning tool; allowing for a hacker to locate where a device is geographically located, what network it’s connected to and which music platform it relies on.

Hackers can discover the speakers — which in this scenario is necessary to find prior to any intrusion — if a user’s network settings are misconfigured or a device is tied to a home server that may be inadvertently connected to the public internet.

“Our case study led to unique findings,” a TrendMicro blog post reads. “These include security gaps that resulted from a simple open port that gave anyone on the internet access to the device and user information. The first glaring finding was access to email addresses that are linked to music streaming services synced with the device. Another was access to a list of devices as well as shared folders that were on the same network as the test device.”

TrendMicro researchers found they could manipulate the speakers with relative ease upon locating them, including sending requests to play audio stored elsewhere on the internet.  In practice, a hacker could force a selected device to play the audio of their choosing. Because some internet jokes never die, the researchers decided to Rick Roll themselves:

TrendMicro’s team says the vulnerabilities could be used for far more sinister purposes than just comedic pranks.

“Aside from finding an entry point, an attacker could use the exposed information for spear-phishing,” the blog post states. “By studying the target’s musical preference based on the tracks being played, an attacker can tailor-fit an email and send it to the email address linked to the target’s music streaming account. This increases the success rate of schemes to compromise businesses too.”

High-tech speakers are far from the only internet-connected devices thought to be susceptible to these types of attacks.

Over the last year, hackers have used scanning tools like Shodan to discover misconfigured, open ports that provide a foothold to compromise security cameras, DVRs and even baby monitors.