{"id":8343,"date":"2021-03-19T09:43:33","date_gmt":"2021-03-19T08:43:33","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=8343"},"modified":"2023-05-17T08:04:49","modified_gmt":"2023-05-17T08:04:49","slug":"smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/","title":{"rendered":"Smart Speaker Shenanigans &#8211; Making the SONOS One Sing Its Secrets"},"content":{"rendered":"<p><iframe title=\"#HITB2023AMS D2T1 - Smart Speaker Shenanigans: Making The SONOS One Sing - Peter Geissler\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/Wqcbp9wFO7o?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/materials\/D2T1%20-%20Smart%20Speaker%20Shenanigans%20-%20Making%20the%20SONOS%20One%20Sing%20Its%20Secrets%20-%20Peter%20Geissler.pdf\">PRESENTATION SLIDES (PDF)<\/a><\/p>\n<hr \/>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s2\">Sometimes you take a weird detour during security research; this is the tale of one of those incidents. <\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s2\">During a thorough investigation for the Pwn2Own competition into the SONOS One Smart Speaker product the presenter of this talk got completely side-trailed and nerdsniped into learning more about the exact details of the secure boot implementation of the underlying AMLogic system-on-a-chip and the SONOS proprietary flash encryption. <\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s2\">This talks starts by explaining the essentials of ARM Trusted Firmware Design and the roadblocks we hit once we started looking at the SONOS One product. Because the SONOS One proved to be such a fortress, we&#8217;ll start by looking at a &#8220;softer&#8221; target (a &#8220;smart clock&#8221; from Lenovo) to get a nice foothold on a &#8216;same same, but different&#8217; system. We will detail a vulnerability that allows us to decrypt the Lenovo bootloader blobs without revealing the actual keys. <\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s2\">Next, we&#8217;ll cover the thorough analysis of the EL3 secure monitor code that gatekeeps access to interesting hardware peripherals like the OTP memory. <strong>We will look into bootstrapping some code that talks to the secure monitor and<\/strong> <strong>exploit a (0day) vulnerability in order to fully compromise the EL3 privileged context<\/strong>. Now we have some foothold on a less defensive system we&#8217;ll apply what we learnt to the SONOS One system. We&#8217;ll quickly figure out it won&#8217;t be as easy as the Lenovo clock. <\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s2\"><strong>We will use a (previously disclosed) DMA attack over the PCI express bus as a stepping stone into launching our EL3 exploit on the SONOS speaker.<\/strong> The only problem.. we don&#8217;t have access to the actual EL3 binaries on the SONOS, what now? Blind memory corruption exploitation time! Rest assured; <strong>we *will* manage to break the secure monitor running on SONOS. We will dump out all secrets from the OTP memory, and while we&#8217;re in the privileged context we will also dump the (protected) BootROM from the SoC.<\/strong> <\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s2\">The final part of the talk explains the modifications SONOS made to the Linux kernel LUKS encryption subsystem and how we can use the secrets we dumped from the protected OTP memory to be able to recover the actual AES(-XTS) keys that are used for encrypting the filesystem. No more speakers needed as an oracle! If you are interested in low level tinkering, hardware, (ARM) assembly and breaking modern privilege boundaries: this talk is for you!<\/span><\/p>\n","protected":false},"template":"","class_list":["post-8343","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Smart Speaker Shenanigans - Making the SONOS One Sing Its Secrets - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Smart Speaker Shenanigans - Making the SONOS One Sing Its Secrets - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"PRESENTATION SLIDES (PDF) Sometimes you take a weird detour during security research; this is the tale of one of those incidents. During a thorough investigation for the Pwn2Own competition into the SONOS One Smart Speaker product the presenter of this talk got completely side-trailed and nerdsniped into learning more about the exact details of the [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-17T08:04:49+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/\",\"name\":\"Smart Speaker Shenanigans - Making the SONOS One Sing Its Secrets - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2021-03-19T08:43:33+00:00\",\"dateModified\":\"2023-05-17T08:04:49+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Smart Speaker Shenanigans &#8211; Making the SONOS One Sing Its Secrets\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Smart Speaker Shenanigans - Making the SONOS One Sing Its Secrets - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/","og_locale":"en_US","og_type":"article","og_title":"Smart Speaker Shenanigans - Making the SONOS One Sing Its Secrets - HITBSecConf2023 - Amsterdam","og_description":"PRESENTATION SLIDES (PDF) Sometimes you take a weird detour during security research; this is the tale of one of those incidents. During a thorough investigation for the Pwn2Own competition into the SONOS One Smart Speaker product the presenter of this talk got completely side-trailed and nerdsniped into learning more about the exact details of the [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-17T08:04:49+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/","name":"Smart Speaker Shenanigans - Making the SONOS One Sing Its Secrets - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2021-03-19T08:43:33+00:00","dateModified":"2023-05-17T08:04:49+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/smart-speaker-shenanigans-making-the-sonos-one-sing-its-secrets\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"Smart Speaker Shenanigans &#8211; Making the SONOS One Sing Its Secrets"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/8343"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=8343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}