 Hi everyone. My name is Steven Hiltz. I work at Trend Micro. I'm a threat researcher, so this will be kind of a talk that's a little bit different than what you're normally seeing in the IoT. I'm going to take a threat angle to some internet connected speakers that we looked at. Those speakers themselves, we started with the Sonos and the Bose. The reason we chose the Sonos, I actually ended up buying my wife a Sonos speaker once for her birthday and I started playing with it, got her really angry at me pretty quickly because I kept just crashing it and doing a bunch of other stuff, so work ended up buying me one. So I have two, actually I have five now, but because they're actually really nice and they're really good to have. The Bose are equally as nice, same kind of issues, but these are the two that we're going to predominantly talk about. There are other vendors, of course, that are playing in the spectrum, such as the Apple, new one as well. So first thing I did when I bought the device, I scanned it on my network to see what ports were open, which is pretty basic things for what I normally like to do. I like to know what's on my network. I actually have these on a internet of shit network that I have, so they don't talk to my normal stuff. So then the next thing I did, has anyone else ever done anything with this? So there wasn't a map script for Sonos and it pulls a bunch of information such as the zone name, MAC address, serial number, what version of firmware it is. So then I was like, how is it pulling this information? When you look at the script, it goes to the IP address of the destination, port 1400, slash status, and then slash ZP or ZL depending on the model, and it'll pull a bunch of information from this page. So that made me think, okay, what else is out there? So when we looked at the slash status page, there's all these different pages, such as accounts, system settings, preferences, CPU mon, IP config, net stats, ARP tables, all this information just right here. All you have to do is click on it, it brings up some information. There's actually a hidden debug tool that's pretty neat. It's under slash tools, HTM. And you can do a ping. So one of the things that was fun to do is you can find these exposed online and we'll get there in a minute. But you type in the internal IP address range and you can do a broadcast ping and anything that responds to broadcast pings. So more or less now, from an internet connected speaker in this tool page, I have now profiled your internal network. I know what else you have. It prints back the ARPs and things like that. You can do tracer out, see how far back they are in the network, see where things are. You can do an NS lookup, maybe they're pointing to an internal DNS server if it's inside of a company. A lot of these are exposed on university networks and you'll see that that's kind of fun. You can start probing their internal DNS just by using this device. And then the MDNS announces. So here's an example of doing a broadcast ping on an internal network. One ping, lots of responses. Then you can pull over and you look up the ARP table. Now all these devices are in that ARP table that was on that main page. So we worked with John Matherly and Shodan and we were able to get these imported into Shodan. And this was back last year. There's roughly 4,000 devices. This bounces between 4,000 to 5,000 normally depending on when he crawls. But it's usually right around always in that number. U.S. being the number one place and then always followed by Sweden, Belgium and then the Netherlands, Norway here too. So it kind of took some of that information and then we wanted to know which models were the most prevalent on the internet. The Sonos Play one which is the ones that are sitting out here everywhere around the room. If you hadn't noticed, there's one right here up on this table by Eric. That's the most predominant one. So this is just a validation that the one I had was a really good target to start looking at versus did I choose the wrong one to see if there's any other issues. Well, I found was most interesting. This was right after the Play base came out like by three weeks and there had already been 16 exposed online. So as people were buying these, they're getting a lot and a lot and they're just putting them online. How they're getting online is they actually do UPNP to a little bit. So if your router supports UPNP, it's going to poke a hole for the 1400. There's also cases where people want to be able to control their speakers remotely and there is an API. We'll discuss that. But again, we wanted to talk about Bose as well. So we found a way to profile those online. It's a Port 8090 is their main config page and it uses the Allegro software ROM pager version. And the highest we've seen it is roughly around a thousand. So they're not as popular based on these numbers exposed online. I don't know if it's less popular of a speaker to buy. I think it is internationally. So we're going to talk about some of the information leakage that's coming off these devices. And so you can see here a lot of stuff is blurred and some things have changed a little bit. This is one of my own that I made that kind of shows you the information. Like what type of phones have connected to it. So this in case I have an iPhone. And mine is mobile iPhone. But it usually will have the name there, say if it's Aaron's iPhone. Now I know her name is Aaron, she has an iPhone. And she connects her sonos to it. Other interesting pieces of information about that is there's the description XML file that you can see. It kind of gives a description of the actual device. So up at the top those are the two speakers that I had. And then below that the media servers or anything that's connected to it. So that also will include computers, not just mobile devices. So if you connect a computer to it, it will tell you the little bit of information about the computer itself. This one is the finance page. And of course this one is mine from my local one. But it has my Gmail account in that case that is for Pandora. There's random tokens for Spotify and for iHeart Radio as well. So you just have to kind of interesting information when you look at these. The email address wasn't going to prove in a couple slides a pivotal point of information that I can have and utilize to help profile who owns the speaker. This has since been masked and we'll talk about the disclosure pieces. Here's the information leakage on the Bose. As you can see here there's some good information. In this case it came from SVT.SE. This is actually a journalist. Bose device that is exposed online. We've since worked with them to remove it. So we felt like maybe media, people shouldn't have their devices exposed online. Especially when you can put more information in and figure out information about the person. One of the things that I like about the Bose is on this page it will actually tell you how it's connected. Bose actually does Bluetooth where the Sonos doesn't. So you can see if a device is connected via Bluetooth and auxiliary port which again the Sonos doesn't have. You can do that over wifi or ethernet only. So there's several different ways of listening to a Bose and you can see how they've connected it. The next piece of information that I found really interesting was the scan results page. First I was like scan results I'll come back to that one later. But it turns out it's running the ATH config scan results command. So to find the neighboring access points. So what this does is pretty interesting it gives you the BSS ID, the SS ID and the signal strength right there. This is used during their setup process to show you in your app when you're trying to connect it to what neighboring access points are. So this shouldn't actually be disabled since I've already connected it. But with the BSS ID we started looking for information online. So there's this really good Alexander Malinkov has a really good website where he pulls a bunch of information from all the scan results from all the war driving and puts it into one API you can use. You're limited based off cloud flare from doing a bunch. So if you want to go around that just find the real IP like I did. And then hard code that in your host's table. And then I populated everything from showdan into this and was able to map it. So what you see here is approximate location latitude the range is their RSS I that they saw. And that's like in meters so it's really far away according to this one in this one example. But as proof of point we just loaded up inside of Google Earth and that's where it roughly is. And this is in Zurich Switzerland. So we saw one access point in Zurich Switzerland nearby. Of course what I want to do is then make a big Google Earth image with everyone on it. So first we'll show the U.S. as you can see most major cities are but have lots of pins near them. And then one off here and there. So of course we're here in Las Vegas so let's go ahead and look and see if there's anything in Las Vegas there's actually only one. The Flamingo, Caesars and down there is breathometer in a parking lot. So that's a neighboring wireless access point. We could go over there I guarantee you we can probably see this access point over there. Does that help us with finding the actual Sonos device? No. So we're going to go through an example here that's a little bit more easy. Earlier in the year I gave a version of this presentation over Hack in the Box in Amsterdam. So that's in Europe which as you can see Europe looks better than the U.S. from an exposed stance but it's not just closer together there's more of these in the U.S. And again these are only the Sonos devices not the Bose but we'll walk through that same process you can do that with the Bose devices as well. So if we go into Amsterdam you can start seeing a cluster around a device. And of course while I was there Hack in the Box is held a couple blocks away. I actually walked to this area I was able to see these access points and you can start figuring out kind of you know who around there may have a boat or an exposed speaker. So we're going to do kind of a walk through of a really, really good one I did. And this is we've identified this person we notified this person that this was going on and they've since removed their speakers. So if you look in the state of Colorado found several devices map those here's the pot from that Google Earth. Guaranteed the person somewhere in there. One of the best things is he had his email address shown via the Pandora account. So you just look up his email address and people and now we have where he is, who he is, name and everything. So then we go through the family tree now or any other public records here's his current address and last address. So then if we map the current address in there there's the red dot in the middle of all that. See it down there. The bottom towards the century link. So with high probability because he saw all these access points and that's when somebody wardrobe it. We are really close in that cluster of where that address is and now we have a person. We have a name and what's the next thing I want to know? What does he like? He likes metal. So from this we are able to you can pull what's currently playing via the API. At any point in time just query it and it will tell you what's being played. So what this does is how you can start scripting this to start pulling this and figuring out what the person likes. The other thing from a potential attack stance is so we can know more about the person that we can craft an email about what their likes are. We have their email address. We know they own a son of speakers so we can target an email that's from one of their favorite bands for more likelihood to get a click. So we'll go through that same process with a Bose. So this is the port 8080 not the 8090 which is a different that we showed earlier but if you go to 8080 it shows you they only show you the SSID not the BSSID. Luckily Wiggle lets you search based off of SSID too. And you can actually search based off of SSID and Alexander Malinkoff so I was just doing it in a different approach to show you that there's multiple ways to do this. And so that one's there and here's an example of pulling the same information from the Bose API versus the Sonos API. In this case they like the Eagles line eyes in this one case. So that got me thinking has anyone ever done this before? Has there been anything like this before? So then I was reading on one of the Sonos user group forums somebody was complaining that there was these loud sounds of ghosts creaking doors throughout the night at random intervals playing in their house. And I was like that's strange. There's actually a GitHub page that the thing is called ghostly. And you can just point it to an IP address. It hosts songs locally and spins up a web server and then plays at random intervals a ghostly sound creaking doors and this is at random volumes as well on the Sonos speaker. So it can be really quiet at 3 AM or it can be at full volume at 3 AM. So that I was like so wait hang on. I can play a song I'm hosting on a Sonos speaker. All I have to do is spin up a web server and point it to and say to the Sonos speaker play this song on this web server because that's all this is doing. It just in the script controls the timing randomly. Alright that's interesting. So I did that. So I wrote a real quick version using an Alexa command because what I was going to try was does Alexa accept volume like computer generated sound clips? So I just used the say command in the Mac or speak, you speak on Linux or whatever you want to do this with. There's online utilities. So can I get Alexa to do something from a Sonos speaker? You guys can probably imagine. There's a demo here. I don't know if there will be sound. I guess there's not sound that I can use nearby is there? Does anyone know? Okay. Anyway what I'm doing here is playing on the Sonos sound that I recorded that said Alexa, what time is it? Alexa then as you saw there lights up quite again so you can see at least visual cues and if you want to see these demos I have a YouTube video I'll link. So there it is it responds it's 3.15 p.m. So that's interesting. So Bose allows you to do the same thing. It's playing a URL via the Python library's lib sound touch which these Bose devices were sound touches. You can point it to an MP3. Same thing. So it doesn't have to be just a Sonos. So then I was looking at the API and I found this field here for next. In this case it's highlighted. So the commands are in clear text. It literally just says next. So there's play, stop, play, pause, stop, next and you can also adjust the volume via the API. But one of the fields I also looked at was the field called Reinkang. And so I wrote this quick script more or less just copied and paste because of course there's no unique identifiers or anything like that for session IDs so it replays work because why not? Fuzzed a little bit inside of the field itself so I looked at the Reinkang field which is a device ID type as we saw earlier in one of those screenshots. And once we did that, the next slide of course there will be no sounds. So what happens is there's sound, it's playing, blah, blah, blah, blah. I run the command here for the next track. This is me playing with the next track. So what we were able to do here is while there's a queue you can actually just tell the next song. So it's just playing with the API here. But one of the interesting things I found about when you start playing with this API is there's no input validation on many of the fields. So then what I did was I fuzzed those fields so the next one it skipped the track and then I run what I called an exploit but it's kind of is but it's not and the speaker stops playing. It actually takes itself off the network completely and sometimes reboots. A lot of times I had to manually reboot my speaker to get it back on. So it sends out at the very end like right as it's crashing it takes itself out of the MDNS announcements and says I'm no longer here so it will actually disjoin from other speakers that are playing. So sorry there was no sound. In that speaker thing this was a we released this in December and there was some press. During that video there was a point where I went from epic sax guy and I sit next and it went to Rick Isley and this is the headline that Wired came up with that people can Rick roll your speakers not that they can be crashed or anything like that but they can Rick roll your speakers. I thought that was funny. So one of the next few things that we were looking at so now that I've done all this is let's get down to looking at the device. I don't know if there's any hardware people here. I failed at all hardware attempts on this one so this is kind of just a hey if you have time and you want to pursue this please continue. So you take off the RF cage this was a fun device I don't know if anyone here has ever taken apart a speaker but they pay a lot of attention to vibration so there's a lot of hot glue everywhere foam and things like that you have to deal with when you're taking it apart. I have one speaker I lost screws and now it blows air out the RJ45 on the back so I just put a little piece of tape on it sounds as good as new as long as you don't turn up the volume very loud. So just you know normal stuff looking at chips and wind bond. There's actually two versions of the play ones one of which is the ARM chip that you see and then they also have a power PC version I don't have a picture of the power PC chip. I do have a power PC version though. The firmware updates are the same functionality is all the same between the two but there is two different chipsets that they've used. So I tried to probe around to see if I could find anything but no data was easily found. Then I started looking harder. I think that's a UR but all the pins are dead on it. So then we looked at that one that's obviously a JTAG 16 pin JTAG all the pins were dead. And then of course because the chips are as I was doing the probing as well because I couldn't find where the JTAG actually was mapping to. This is underneath the wireless card. There's some ports there that had some data also possibly JTAG is what we let it to could never get it to fully be what we wanted or get any of the information off of it. This one did have data on it. I've played with the mappings and things like that just could never get any of the information off of it. This one was interesting. I think it's a possible SWD. In fact popped into the SLA. As SWD played with it, it sees data just nothing good. And big shout out to my friend Kevin Finister actually helped on this and he couldn't find anything either. So it was kind of a dead road from our stance. I didn't want to put a lot of time in it, but I would really like to see somebody take this and figure out some of this. In fact, I even did a probe with my STM32F4 discovery board and as you can see that I see it. There's a serial number for the device. I changed the pins to make it discover the board. Yeah, nothing there. So one of the things that we were able to do is be able to report this to Bose and to Sonos. Sonos has fixed numerous amount of the issues. Most of the major issues have been fixed. There's been the denial of service attack has been resolved. There is some input validation on those feet on least that field. I haven't played with any of the other fields, but I'm hoping they fixed it appropriately. Bose, on the other hand, didn't really respond much. But on Sonos here is the new what you see now when you go to the status page. A shorter version. And again, the counts is there, but the email address, all the fields that were email addresses have been masked. So it's a really good disclosure and Sonos fixed it. It was actually pretty frustrating because I was in the middle of trying to shoot those videos in the YouTube video that I made. And it forced me to do an update which fixed the problems. So I had to go buy another one and not let it update. But from what I understand now, before you can even connect the app to it, it forces you to do firmware updates. So good on Sonos again for fixing that and making people update. Before I ran the exploit for next track, it crashed things. Now, I thought this was actually pretty interesting. They give you a 412 error back. I had to actually look it up. It's a precondition failed. What that means is one of the conditions that I was giving it. In that case, a bad rankon. It didn't like it. So they give you a 412 error code back. And then close the connection. Before I came out here, I looked at Sonos devices on Shodan. So just an update. As of August 8, there was 4,494 Sonos devices online. There's always, as I said earlier, roughly around 5,000 in between 4 and 5,000. Bose, there's always around 1,000. Again, we know when I said that there seems to be less of those than there. So I don't know if people are just not exposing it. Their UPNP is not poking as many holes or whatever. But they're there. Again, Bose never really responded. I think they were fixing problems, but they never officially responded to us on this. One thing that I thought was very interesting and it makes sense, but one of the biggest problems we have is you can still do next. You can still do all that stuff. You can still pull information from other devices about what people are listening to, what's their favorite radio stations, all the presets. You can pull that information out. One of the things that I would look for in this is to see, does anybody in here have a Philips Hue? When you have a Philips Hue, you have to hit the button now to authenticate the API. And you get an API key. In this case, Bose and Sonos have both responded more or less, saying that it's an open API and they plan on never doing any authentication with any of the end devices that can control it. And I think about go back to that case with the ghostly hack and that could be prevented if you could just stop, you know, only authenticated devices at the end. Which I felt like they were trying to do a little bit because now when you try to set one up, it makes you put it, you have to press two buttons for it to go fully into setup mode, which I think enables a lot of those pages to then be able to be searched. That's what I feel like what's going on. I haven't really validated that one. So if they could just do something like that where then it lets you grab an API key and then we can authenticate and then most of everything goes away. You know, of course there's still some faking of the, if it's in clear text and stuff like that because it's only over HTTP and not HTTPS. So there's still little things here and there that we can fix. But I don't want to be that guy in Colorado where I know more about his life just because of his speaker than I should know. So let's run a little bit quick. But if you have any questions, I'll be around. Find me on Twitter or anything else. If anyone has any questions, go ahead and start shouting them out about me or we'll meet up here. Thanks guys. One more thing. Jayzel from ZDI is giving out some challenge coins from ZDI and he wants to get rid of them. So if you want one, go see Jayzel second row. Thank you everyone.