Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap

Explore a Black Hat conference presentation detailing the discovery and exploitation of vulnerabilities in Sonos devices, focusing on remote kernel exploitation and security breaches. Learn about the device architecture and security controls of Sonos products, including their secure boot process and disk encryption implementations. Dive deep into the Wi-Fi driver architecture and attack surface of the Sonos One, examining a critical WPA2 Handshake vulnerability that enables remote kernel compromise. Follow the development of exploitation techniques that led to creating a covert wiretapping capability and the first-ever "jailbreak" of the Sonos Era-100, affecting 23 different Sonos products. Understand how these security breaches allowed for the extraction of cryptographic material and enabled hidden audio recordings through compromised devices.