Recent Sonos Security Vulnerabilities Reinforce the Need for AV ‘Software Bill of Materials’
I have been working in “tech” for roughly 30 years. I started in IT, then went into live audio, then AV integration, and eventually, cybersecurity. I now engineer secure audiovisual systems, KVMs and video walls for the United States military. One might think my home is full of the latest technologies, that I have smart lighting and whole home audio systems.
Wrong. I live in a log-cabin-style home with minimal technology. No smart lighting or Nest thermostats or Ring doorbells here. I have a newish TV but I still have my fluorescent-backlit Aquos. My speakers are old PA speakers from the ‘90s, and I have a VHS collection.
While the systems I design typically have a touch panel control system, you will never find one in my house. I prefer hard switches, clocks that tick and cars without Wi-Fi routers.
Why, you ask?
Because the more things are considered “smart,” the more vulnerable they are to attacks.
Case in point: On Aug. 8, 2024 Robert Herrera (@robHerrera_) and Alex Plaskett (@alexjplaskett) presented a talk at Black Hat USA in Las Vegas describing a number of vulnerabilities in Sonos devices. For those who don’t know, Black Hat is one of the larger infosec (hacker) conferences, and Sonos is a brand of wireless home audio products.
Robert and Alex work with the NCC Group, a group of over 15,000, who according to the website, “assess, develop and manage cyber threats across our increasingly connected society. [They] advise global technology, manufacturers, financial institutions, critical national infrastructure providers, retailers and governments on the best way to keep businesses, software and personal data safe.”
Back to my nightmare, the NCC Group basically figured out how to turn Sonos devices into covert listening devices, performing hidden recordings by the microphones in the devices.
Readers can watch a video of the exploitation here:
You can also download the materials for the Black Hat talk describing the Sonos Vulnerabilities here.
Anyway — THE GOOD NEWS is that Sonos cooperated with the researchers before they presented the information and have since released a fix for the vulnerabilities (CVE-2023-50809 and 50810).
Sonos users just have to update the software on their devices. The other good news is that the nosey attacker needs to have physically access to the device, or must be within close proximity, to perform the attacks. But still, this could easily be a roommate, or neighbor or spouse. There are a lot of amateur hackers out there, and very few of them are prosecuted.
Also, there was not just one vulnerability leveraged here, and one of them was actually in the OEM from the MediaTek driver, which could be leveraged in dozens of other Android devices.
Here’s what I’m saying: What all of this is pointing to is the need for what is called a Software Bill of Materials (SBom) for AV. A Software Bill of Materials lists all of the components used in a program or device. When one of the software components is found to be vulnerable, like the MediaTek driver in the Sonos devices, you can identify other devices that use the same sus code.
According the CISA’s Software Bill of Materials website: “A ‘software bill of materials’ (SBOM) has emerged as a key building block in software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up software components.”
A good place to start learning about SBoMs is through this FAQ from CISA. It states:
“An SBOM should contain some combination of the following baseline information: author name, supplier name, component name, version string, component hash, unique identifier, and relationship. Licensing, pedigree, and provenance should also be included, if available. For detailed information about SBOM baseline component information, see section 2.2 of ‘Framing Software Component Transparency: Establishing a Common Software Bill of Material (SBOM).’”
AV installers already understand what a Bill of Materials is, but how many are being diligent — much less transparent — about their code, and/or listing what versions of firmware they have utilized? How many new AV technologies and programmers are using “open source” code?
It’s time to start asking ourselves, “what could go wrong?” when it comes to AV. If there is a microphone in a system or device, assume someone is listening. If there is a camera, assume someone is watching. If you are presenting, assume someone is taking screenshots. And if it’s a so-called “smart” device, assume that someone can hack it.