On Thursday 8th of August 2024, Robert Herrera (@robHerrera_) and Alex Plaskett (@alexjplaskett) presented this talk at BlackHat USA in Las Vegas.
The materials for the talk can be downloaded here:
Slides
Over the last year NCC Group found and exploited many different vulnerabilities within Sonos devices. This led to an entire break in the security of Sonos's secure boot process across a wide range of devices and remotely being able to compromise several devices over the air.
We leveraged these vulnerabilities to perform hidden recordings of the microphone to demonstrate how a remote attacker could be able to obtain covert audio capture from Sonos devices.
In this talk, we started off with an introduction to Sonos devices, and describe the device architecture and security controls implemented (such as secure boot and disk encryption).
Then we moved into a deep dive on the Wi-Fi driver architecture and attack surface on the Sonos One. The talk then describes a vulnerability we identified in the WPA2 Handshake which can allow a remote attacker to compromise the kernel over the air.
The talk then discussed the exploitation of this issue and the novel challenges of developing a remote kernel exploit.
To wrap up this section, we performed a demo of the attack where we turned the device into a wiretap capturing all the audio within the physical proximity of the compromised device.
Finally, we discussed vulnerabilities and exploitation techniques which allowed us to develop the world’s first “jailbreak” of Sonos flagship devices – The Era-100 by breaking the secure boot chain. This affected 24 Sonos products and allowed the extraction of cryptographic material.
For more detailed information see the slides attached.
Whitepaper
Within the whitepaper, NCC Group describes the reverse engineering process and exploitation techniques that were used to achieve arbitrary code execution on both the Sonos Era-100 and the Sonos One devices.
The whitepaper expands on the presentation material and provides more in-depth background into both vulnerable areas and exploitation techniques.
First, the Sonos One and Era-100 devices are introduced where we discuss the architecture and attack surface.
The paper is then split into two major sections, the first covering a memory corruption vulnerability which was identified within the WPA2 handshake process of the device’s wireless driver of the Sonos One. The driver itself was a third-party chipset by MediaTek who has now the associated patch with the March 2024 Security Bulletin (CVE-2024-20018).
Within this section, we discuss the vulnerability itself and the steps necessary to exploit the issue as well as a detailed listing of techniques used to achieve code execution (such as an in-depth return orientated programming payload).
After this, we describe the post-exploitation process of obtaining a full shell on the device and describe a novel implant which we developed for capturing audio from the device’s microphone.
The other major section of the whitepaper is dedicated towards the Sonos Era-100 device. NCC Group previously identified weaknesses within the secure boot process on the device.
The attack vector by which the secure boot process of the Era-100 was exploited was through several chained vulnerabilities within the U-Boot bootloader. The result of the exploit was code execution in an EL3 context which allowed NCC Group to arbitrarily load unsigned images and dump hardware-backed cryptographic secrets.
Sonos has released fixes for these vulnerabilities (CVE-2023-50810).
For more detailed information please see the whitepaper attached.