SONOS One Hacked, listen up people

May 31 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that takes cybersecurity seriously, like the government with BoJo’s WhatsApp messages.

Today’s hottest cyber security stories:

  • Good ‘Hacktors’ win $105k for reporting security flaws in Sonos One speakers

  • CAPTCHA-breaking services on offer to cybercriminals. Please, no MaaS!

  • One million customer records leaked in SimpleTire blowout

SONOS STOP, COLLABORATE AND LISTEN

Here’s a nice positive story to help you through hump day, folks: an example of the good acting hacking community coming together to alert a company that came up cyber-short and being well compensated for their valiant efforts. Great stuff!

So, what happened? Well, if you’ll kindly turn down the music and lend me your ears, I’ll let you know. Basically, a particular model of Sonos One speakers had a few major holes in its cybersecurity which would mean that hackers could potentially tune in and drop out… Sorry, execute arbitrary code in the context of the root user.

Are your speakers listening to you?

In other words, the critical vulnerabilities would have allowed those who had the know-how and were so inclined to hack in through the speakers and access any music-playing device connected: a scary concept indeed!

You gotta Pwn it 2 Own it!

Fortunately, the vulnerabilities were demonstrated by three different teams from Qrious Secure, STAR Labs, and DEVCORE at the Pwn2Own hacking contest held in Toronto late last year, netting them $105,000 in the process. Not a bad take, eh? Ransomware, eat your heart out!

Technical stuff

Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative (ZDI) said in a report published last week.

The list of four flaws, which impact Sonos One Speaker 70.3-35220, is as follows:

 CVE-2023-27352 and CVE-2023-27355 (CVSS scores: 8.8) – Unauthenticated flaws that allow network-adjacent attackers to execute arbitrary code on affected installations.

 CVE-2023-27353 and CVE-2023-27354 (CVSS score: 6.5) – Unauthenticated flaws that allow network-adjacent attackers to disclose sensitive information on affected installations.

Congratulations to the guys from Qrious Secure, STAR Labs, and DEVCORE who managed to give Sonos One the heads up before the boss music started playing.

And, if you’re the proud owner of the 70.3-35220 variety of Sonos One speakers, don’t panic but do listen to reason and download the patch.

Yep, there is indeed a patch. Music to your ears, right?

*sorry had to use this recent image again.. 😂😂😂

HACKERS: CAPTCHA ME IF YOU CAN!

Hold on to your passwords, friends. Cybersecurity researchers have stumbled upon a wild phenomenon in the digital jungle. Brace yourselves for the CAPTCHA-breaking extravaganza!

It seems some sneaky mischief-makers are now offering CAPTCHA-bypassing services (another example of MaaS) for sale. These services are designed to hoodwink systems that are supposed to separate real humans from bot invaders.

But fear not, fellow internet adventurers! The cybersecurity guardians are on the case. They've sounded the alarm and are working tirelessly to protect the digital realm from these CAPTCHA-busting bandits.

So, next time you encounter a CAPTCHA, take a moment to appreciate the battle that's raging behind the scenes. It's a war between good and evil, between humans and bots, between the mischievous and the virtuous.

FYI, CAPTCHA – short for Completely Automated Public Turing test to tell Computers and Humans Apart – is a tool for differentiating real human users from automated users with the goal of combating spam and restricting fake account creation.

What the experts say:

"Because cybercriminals are keen on breaking CAPTCHAs accurately, several services that are primarily geared toward this market demand have been created," Trend Micro said in a report published last week.

"These CAPTCHA-solving services don't use [optical character recognition] techniques or advanced machine learning methods; instead, they break CAPTCHAs by farming out CAPTCHA-breaking tasks to actual human solvers."

This revelation provides a whole new perspective to the famous CAPTCHA phrase that requires a click in the affirmative: “I am not a robot.”

CONGRATULATIONS, YOU’RE THE 1,000,000TH LEAK… PUNCTURE? 🤔

This latest leak brought Philadelphia-based tyre retailer SimpleTire screeching to a halt once they were fingered as the source of the hack.

Yes, this well-known automotive retailer experienced a database configuration error that resulted in the exposure of 1TB worth of records, including customers' personal information.

Suspected Fowl-play 😉

The incident was reported by security researcher Jeremiah Fowler to the web-builder site after he traced the records back to SimpleTire.

SimpleTire is an online tire retailer that boasts a network of over 10,000 installers and more than 3000 independent supply points.

Despite Fowler's responsible disclosure efforts, which involved sending "multiple email notices" to SimpleTire, the non-password protected database remained publicly accessible to anyone with an internet connection for over three weeks.

Finally, the issue was addressed, and access to the database was locked down. Another win for the good guys! But a shame their response was slower than a… really slow puncture.

Incidentally, our sincerest apologies if any of you are beginning to tyre of our relentless puns 😬

Stay safe, true believers!

So long and thanks for reading all the phish!

Recent articles