tags:pwn2owniotsecure_bootfirmwarehardware_hackingstack_overflow original link: Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap newsletter link: exploits.club Weekly Newsletter 34 - V8 Confusions, Smart Speaker Spying, Summer Camp Round-Up, And More
Exploits Club Summary:
NCCGroup (more specifically, @alexjplaskett and @robHerrera_) released a 40-page whitepaper ahead of their BlackHat talk covering their exploitation of 2 Sonos speakers. The paper first walks through the stack overflow identified in the Sonos Oneâs wireless kernel driver while handling WPA2 handshake negotiations. They discuss how they narrowed the attack surface, identified and triggered the bug, complications with exploitation and post-exploitation techniques to capture audio on the victim device covertly. The second part of the paper talks through 3 bootloader vulnerabilities which not only allow for persistent code execution, but also the ability to dump the OTP data to decrypt future firmware updates. The paper is well written and extremely thorough, we highly recommend everyone give it read.