Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap
Unknown
Black Hat USA 2024 · Day 1 · Briefing
This talk, presented by Robert Herrera and Alex Pasket of NCC Group, delves into critical security vulnerabilities discovered in Sonos smart speakers. The primary focus is on a sophisticated **over-the-air remote kernel exploitation** of the **Sonos 1 Gen 2** device, leveraging a vulnerability in its Wi-Fi driver. This research culminated in achieving **remote code execution (RCE)** at the kernel level, demonstrating the ability to establish a **covert wiretap** by recording audio from the compromised device's microphone. The presentation also briefly touches upon ongoing research into a secure boot bypass for the more recent **Sonos Era 100** device.