Cybersecurity researchers have uncovered weaknesses in Sonos sensible audio system that might be exploited by malicious actors to clandestinely snoop on customers.
The vulnerabilities “led to a whole break within the safety of Sonos’s safe boot course of throughout a variety of gadgets and remotely with the ability to compromise a number of gadgets over the air,” NCC Group safety researchers Alex Plaskett and Robert Herrera mentioned.
Profitable exploitation of considered one of these flaws may permit a distant attacker to acquire covert audio seize from Sonos gadgets by the use of an over-the-air assault. They influence all variations previous to Sonos S2 launch 15.9 and Sonos S1 launch 11.12, which had been shipped in October and November 2023.
The findings had been offered at Black Hat USA 2024. An outline of the 2 safety defects is as follows –
- CVE-2023-50809 – A vulnerability within the Sonos One Gen 2 Wi-Fi stack doesn’t correctly validate an info component whereas negotiating a WPA2 four-way handshake, resulting in distant code execution
- CVE-2023-50810 – A vulnerability within the U-Boot element of the Sonos Period-100 firmware that might permit for persistent arbitrary code execution with Linux kernel privileges
NCC Group, which reverse-engineered the boot course of to realize distant code execution on Sonos Period-100 and the Sonos One gadgets, mentioned CVE-2023-50809 is the results of a reminiscence corruption vulnerability within the Sonos One’s wi-fi driver, which is a third-party chipset manufactured by MediaTek.
“In wlan driver, there’s a doable out of bounds write because of improper enter validation,” MediaTek mentioned in an advisory for CVE-2024-20018. “This might result in native escalation of privilege with no further execution privileges wanted. Consumer interplay isn’t wanted for exploitation.”
The preliminary entry obtained on this method paves the way in which for a sequence of post-exploitation steps that embody acquiring a full shell on the machine to achieve full management over the sensible speaker within the context of root adopted by deploying a novel Rust implant able to capturing audio from the microphone inside shut bodily proximity to the speaker.
The opposite flaw, CVE-2023-50810, pertains to a series of vulnerabilities recognized within the safe boot course of to breach Period-100 gadgets, successfully making it doable to bypass safety controls to permit for unsigned code execution within the context of the kernel.
This might then be mixed with an N-day privilege escalation flaw to facilitate ARM EL3 stage code execution and extract hardware-backed cryptographic secrets and techniques.
“Total, there are two essential conclusions to attract from this analysis,” the researchers mentioned. “The primary is that OEM elements must be of the identical safety commonplace as in-house elements. Distributors must also carry out risk modeling of all of the exterior assault surfaces of their merchandise and be certain that all distant vectors have been topic to ample validation.”
“Within the case of the safe boot weaknesses, then it is very important validate and carry out testing of the boot chain to make sure that these weaknesses will not be launched. Each {hardware} and software-based assault vectors ought to be thought-about.”
The disclosure comes as firmware safety firm Binarly revealed that a whole lot of UEFI merchandise from almost a dozen distributors are prone to a essential firmware provide chain subject referred to as PKfail, which permits attackers to bypass Safe Boot and set up malware.
Particularly, it discovered that a whole lot of merchandise use a take a look at Platform Key generated by American Megatrends Worldwide (AMI), which was possible included of their reference implementation in hopes that it might get replaced with one other safely-generated key by downstream entities within the provide chain.
“The issue arises from the Safe Boot ‘grasp key,’ referred to as the Platform Key (PK) in UEFI terminology, which is untrusted as a result of it’s generated by Impartial BIOS Distributors (IBVs) and shared amongst completely different distributors,” it mentioned, describing it as a cross-silicon subject affecting each x86 and ARM architectures.
“This Platform Key […] is usually not changed by OEMs or machine distributors, leading to gadgets transport with untrusted keys. An attacker with entry to the non-public a part of the PK can simply bypass Safe Boot by manipulating the Key Change Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx).”
Because of this, PKfail permits dangerous actors to run arbitrary code through the boot course of, even with Safe Boot enabled, permitting them to signal malicious code and ship a UEFI bootkit, akin to BlackLotus.
“The primary firmware susceptible to PKfail was launched again in Could 2012, whereas the newest was launched in June 2024,” Binarly mentioned. “Total, this makes this supply-chain subject one of many longest-lasting of its type, spanning over 12 years.”
