Cybersecurity researchers have uncovered weaknesses in Sonos sensible audio system that could possibly be exploited by malicious actors to clandestinely snoop on customers.
The vulnerabilities “led to an entire break in the security of Sonos’s secure boot process across a wide range of devices and remotely being able to compromise several devices over the air,” NCC Group safety researchers Alex Plaskett and Robert Herrera mentioned.
Profitable exploitation of certainly one of these flaws may enable a distant attacker to acquire covert audio seize from Sonos gadgets via an over-the-air assault. They influence all variations previous to Sonos S2 launch 15.9 and Sonos S1 launch 11.12, which had been shipped in October and November 2023.
The findings had been offered at Black Hat USA 2024. An outline of the 2 safety defects is as follows –
- CVE-2023-50809 – A vulnerability within the Sonos One Gen 2 Wi-Fi stack that doesn’t correctly validate an info ingredient whereas negotiating a WPA2 four-way handshake, resulting in distant code execution
- CVE-2023-50810 – A vulnerability within the U-Boot part of the Sonos Period-100 firmware that may enable for persistent arbitrary code execution with Linux kernel privileges
NCC Group, which reverse-engineered the boot course of to realize distant code execution on Sonos Period-100 and the Sonos One gadgets, mentioned CVE-2023-50809 is the results of a reminiscence corruption vulnerability within the Sonos One’s wi-fi driver, which is a third-party chipset manufactured by MediaTek.
“In wlan driver, there is a possible out of bounds write due to improper input validation,” MediaTek mentioned in an advisory for CVE-2024-20018. “This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.”
The preliminary entry obtained on this method paves the way in which for a sequence of post-exploitation steps that embody acquiring a full shell on the machine to achieve full management within the context of root adopted by deploying a novel Rust implant able to capturing audio from the microphone inside shut bodily proximity to the speaker.
The opposite flaw, CVE-2023-50810, pertains to a series of vulnerabilities recognized within the safe boot course of to breach Period-100 gadgets, successfully making it doable to avoid safety controls to permit for unsigned code execution within the context of the kernel.
This might then be mixed with an N-day privilege escalation flaw to facilitate ARM EL3 degree code execution and extract hardware-backed cryptographic secrets and techniques.
“Overall, there are two important conclusions to draw from this research,” the researchers mentioned. “The first is that OEM components need to be of the same security standard as in-house components. Vendors should also perform threat modeling of all the external attack surfaces of their products and ensure that all remote vectors have been subject to sufficient validation.”
“In the case of the secure boot weaknesses, then it is important to validate and perform testing of the boot chain to ensure that these weaknesses are not introduced. Both hardware and software-based attack vectors should be considered.”
The disclosure comes as firmware safety firm Binarly revealed that lots of of UEFI merchandise from almost a dozen distributors are vulnerable to a vital firmware provide chain challenge referred to as PKfail, which permits attackers to bypass Safe Boot and set up malware.
Particularly, it discovered that lots of of merchandise use a take a look at Platform Key generated by American Megatrends Worldwide (AMI), which was probably included of their reference implementation in hopes that it could get replaced with one other safely-generated key by downstream entities within the provide chain.
“The problem arises from the Secure Boot ‘master key,’ known as the Platform Key (PK) in UEFI terminology, which is untrusted because it is generated by Independent BIOS Vendors (IBVs) and shared among different vendors,” it mentioned, describing it as a cross-silicon challenge affecting each x86 and ARM architectures.
“This Platform Key […] is often not replaced by OEMs or device vendors, resulting in devices shipping with untrusted keys. An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx).”
In consequence, PKfail permits dangerous actors to run arbitrary code throughout the boot course of, even with Safe Boot enabled, permitting them to signal malicious code and ship a UEFI bootkit, akin to BlackLotus.
“The first firmware vulnerable to PKfail was released back in May 2012, while the latest was released in June 2024,” Binarly mentioned. “Overall, this makes this supply-chain issue one of the longest-lasting of its kind, spanning over 12 years.”