Cracking into smart speakers to cue up songs and spooky sounds is a common trend today. The vulnerability, identified by security firm Trend Micro in a new case study, exposes user data like device names and email addresses associated with streaming-music services—just enough info to allow for targeted earworm attacks.
Disturbingly, the researchers needed only basic Internet-scanning tools to ID target-able devices.
The culprit: Weak home-network security habits.
While the Trend Micro team found that some 500 Bose SoundTouch speakers and up to 5,000 Sonos Play:1 and Sonos One systems were exposed to remote hijacking.
For the moment, the implications of this vulnerability scarcely go beyond a funny prank, but the research should serve an important reminder to be vigilant about home network security. It’s almost 2018, and we’re still reminding ourselves about the basics of securing our devices. Please, resolve to do these three things.
Don’t ignore updates
We get it, software updates are annoying. They clog up your notifications and put the brakes on your uncontrollable, momentary urge to blast “Despacito” at full volume. But, more and more often, those patches contain vital security updates.
“Software does have mistakes, and it needs to be regularly maintained,” says Nunnikhoven, “The small pain of updating those things will have real impact downstream.”
Limit network chatter
It’s a simple enough concept. The more devices, hard drives, computers, and dog bowls you connect to your Wi-Fi network, the more you have to pay attention to the security settings and network access granted to each individual device. “Every device you add is another potential attack point,” says Nunnikhoven.
Advanced users, he continues, can connect too much for their own good, allowing outside devices to remote into hard drives or servers on the network. For instance, gamers set up their own Minecraft or other servers and let other players access them.
“There’s no reason to allow anything from the outside to initiate a connection into my home,” Nunnikhoven says. The only inbound network traffic, he explains, should be a direct response to a request to load a Website or song or video from a device on the network—say, a laptop or set-top box.
Right out of the box, most routers are setup to block any inbound requests. But anyone with a little know-how, can dig into the settings and change that.
If you’re dead-set on sharing files, opt instead for a free or low-cost cloud service like Dropbox or Google Drive. “What hope do you have of running your own Dropbox and running it securely?” jokes Nunnikhoven.
Popular Science/SSF/AIMD
