Cybersecurity researchers from NCC Group have uncovered significant vulnerabilities in Sonos smart speakers that could allow an attacker within Wi-Fi range to covertly record audio and transmit it to a remote server — effectively turning a smart speaker into a listening device.
Understanding the Vulnerability: CVE-2023-50809
The primary vulnerability, CVE-2023-50809, enables remote code execution by attackers within Wi-Fi range of affected Sonos speakers. The flaw existed in all speaker firmware prior to Sonos S2 version 15.9 and Sonos S1 version 11.12, released in October and November 2023 respectively. According to Sonos, the vulnerability stemmed from a flaw in the wireless network driver that failed to properly validate an information element during the WPA2 four-way handshake, allowing low-privileged attackers in proximity to execute arbitrary code remotely.
Proof of Concept: Silent Audio Capture
In a proof-of-concept demonstration, NCC Group researchers exploited CVE-2023-50809 to gain complete control over a Sonos One speaker. From there, they enabled covert audio recording and transmitted the captured data to an attacker-controlled server — all without any visible indication to the user.
MediaTek’s Role and Response
The vulnerability also implicated Sonos hardware supplier MediaTek, whose Wi-Fi System-on-Chip (SoC) is used in several Sonos models. MediaTek released patches at the hardware level in March 2024 to address the underlying driver issue.
Additional Security Concern: CVE-2023-50810
A second flaw, CVE-2023-50810, affects the secure boot implementation of the Sonos Era-100, specifically within the U-Boot component. When chained with a known privilege escalation issue, researchers demonstrated persistent code execution with elevated privileges — surviving reboots and firmware reinstalls.
Sonos Speaker Owners with Affected Models in Multi-User Environments
All Sonos speaker owners running firmware older than S2 15.9 or S1 11.12 were vulnerable. Particularly at risk are environments where Sonos speakers are deployed in shared or semi-public spaces — offices, hotel rooms, and open-plan apartments — where a nearby attacker can reach the device’s Wi-Fi signal without physical access.
Securing Sonos Speakers: Firmware Update and Network Isolation
- Verify your Sonos speaker firmware is on S2 version 15.9+ or S1 version 11.12+ via the Sonos app under Settings > System > System Updates
- Enable automatic updates in the Sonos app to receive future security patches without delay
- Place Sonos speakers on a dedicated IoT VLAN or network segment isolated from sensitive workstations
- If you suspect compromise, perform a factory reset and reconfigure the device from scratch
- Consider disabling microphone-enabled speakers in sensitive meeting rooms until firmware is verified
Sonos published an official security bulletin on August 1, 2024, confirming the patches and encouraging all users to update immediately.
