As a leader in the design and development of smart speakers for over 15 years, Sonos knows a thing or two about securing hardware. And even though Sonos always takes a security-first approach in developing their products, when they introduced new technologies into their latest voice-enabled speaker, they recognized the need to bring on outside support to validate their security measures.

Sonos’ new Move device introduced a highly complex attack surface that included novel product hardware and software interactions, the integration of new technologies, and a host of new API endpoints. Given the complexity of the product, Sonos needed to ensure:

1. They had strong security coverage across all points of entry
2. Customers were secure from potential eavesdropping attacks via the microphone

For a partner with deep technical knowledge and extensive experience testing consumer hardware, Sonos turned to Bishop Fox.

“At Sonos, the hardware is a key component to the overall security posture. So having a partner that is comfortable with hardware-based penetration tests was very important to us. I’ve worked with a number of different vendors, but when it came time to figure out who to use for Sonos, I ultimately knew Bishop Fox was the best fit for us.”

— Jim Hong, Director of Product Management

Setup Matters

When the Bishop Fox team arrived to the Sonos office, armed with their portable hardware testing arsenal (affectionately called “The Case of Doom”), the Sonos team was prepared for them. They provided a private room, complete with prototypes of the new devices, testing harnesses, test boards, access to all the relevant applications, underlying systems, and product source code, plus a channel where they could readily communicate with internal experts.

This collaborative and thoughtful white-box approach lowered the learning curve and allowed the Bishop Fox team to jump in uninhibited and maximize the time reviewing the attack surface and finding vulnerabilities.

But, before the soldering irons and multimeters came out, the two teams aligned on the assessment objectives. For Sonos, it was imperative that the engagement:

• Identify product security weaknesses that could allow an attacker to compromise the privacy of customers or intellectual property
• Determine if the new Bluetooth and USB interfaces presented security risks
• Evaluate the communications between Move devices, the iOS and Android mobile applications, and the cloud-based APIs
• Validate that the Move device meets Alexa Voice Service security requirements

With the goals in place, the Bishop Fox team was let loose to do what they do best: break stuff.

Agile Approach

Given the technical depth and complexity of the assessment, the Bishop Fox team opted not to employ a fixed methodology or fixed set of tests. Instead, they partnered with Sonos to develop a hit list of all the items that needed review – from USB-C to Bluetooth, the microphone to the bootloader, and everything in between. Each target was written on a sticky note and added to a Kanban board. This agile workflow allowed the teams to assign tasks, manage priorities, and provide real-time transparency around progress and activities. It also allowed the Sonos team to engage at opportune moments and brainstorm new approaches, discuss strategies, and offer insights based on their product knowledge.

The ability to adapt day to day and quickly shift focus proved to be central in this successful partnership.

“Having Bishop Fox on site for a couple of weeks is different than how we’ve worked with other companies. And I think it was a lot more effective. It gave us the opportunity to talk through things, and if they found something they were excited about, we were right there to engage with them.”

— Jonathan Wenocur, Sr. Software Engineering Manager

As a bonus, the open communication throughout the engagement gave the Sonos team an opportunity to learn about the different approaches and tools that drive an in-depth hardware assessment.

Beyond the Boilerplate

As with every Bishop Fox engagement, Sonos’ hardware assessment was customized from top to bottom. Although a series of standard reviews were performed to validate that the device met Alexa Voice Service security requirements, the bulk of the engagement was tailored based on the inputs provided by Sonos and the findings uncovered by the Bishop Fox team along the way.

The Bishop Fox team was able to thoroughly evaluate the product’s security controls and review what would happen to other defensive layers in the event of a catastrophic exploit. This unfettered access allowed Bishop Fox to check components and exercise testing scenarios that would have traditionally been overlooked.

One of the common pitfalls of hardware testing engagements is that testers will report on theoretical vulnerabilities that they don’t have the capacity to exploit.

With Sonos’ blessing, the Bishop Fox team created an active exploit for one of the vulnerabilities identified. The exploit allowed the Sonos team to observe a true attack on their device firsthand and understand how they could enhance their security measures to foil similar attacks. The exploit provided external feedback to strengthen their argument for allocating additional resources to their security teams.

“I think the level of enthusiasm that they brought in general was really great to see. It was clear that they all enjoyed what they were doing. It was a challenge and they wanted to see if they could find problems and break into the product. And that’s exactly what you’re looking for in a good pen tester.”

— Jonathan Wenocur, Sr. Software Engineering Manager

The Impact

Although the assessment team found one critical vulnerability that impacted an often-overlooked piece of hardware, they were able to determine that the new Sonos device was otherwise highly resilient to attack.

“The most serious vulnerability they found (which by the way none of the other companies who’d reviewed the product ever found) was a relatively easy thing for us to fix. The rest of the findings were medium or low- level findings, but they added ammunition to the sum of our efforts internally to prioritize addressing some of these concerns.”

— Michael Agerbak, Technical Lead, Product Security

The engagement also demonstrated that Sonos has set the bar very high for product security. Not only do they follow security best practices, but they are committed to securing their devices and taking the necessary steps to know their security posture.

“Sonos was super open. Their team was really interested and fully engaged, and could not do enough to help us. They were absolutely invested in it. It was obvious that it permeated through the culture of development and everything else.”

— Carl Livitt, Bishop Fox Principal Researcher

Looking to the Future

As Sonos continues to enhance home audio for their customers, Bishop Fox will be there to support their security efforts as they take on a new challenge focused on the infrastructure around their ecosystem, cloud services, and controllers.

“The level of depth of professionalism that the Bishop Fox team brought to the project allowed us to establish a strong relationship. It reinforces that Bishop Fox is the right fit; the right set of folks to make sure that the rest of our ecosystem is well designed and architected.”

— Jim Hong, Director of Product Management

So, to Sonos product owners reading this – Sonos has you covered.

They’ve made secure moves to secure Moves.

About Sonos

Sonos is one of the world’s leading sound experience brands. As the inventor of multi-room wireless home audio, Sonos innovation helps the world listen better by giving people access to the content they love and allowing them to control it however and wherever they choose. Known for delivering an unparalleled sound experience, thoughtful design aesthetic, simplicity of use and an open platform, Sonos makes the breadth of audio content available to anyone.