The luxury, smart speaker maker Sonos incurred the wrath of longtime customers this week when it announced that it will no longer support products it manufactured and sold as recently as 2011.
But the bigger sting may still be ahead: as un-patched and un-patchable Sonos products open doors to customers’ data and networks.
In a blog post this week, Sonos announced that its original Zone Players, Connect, and Connect:Amp, first-generation Play:5, CR200, and Bridge products will no longer receive software updates or new features. That includes security patches needed to address exploitable holes in software that runs the home audio devices. The products were released between 2006 and 2009, with some sold as recently as 2015.
“Without new software updates, access to services and overall functionality of your sound system will eventually be disrupted, particularly as partners evolve their technology,” the company said.
Customers turned to social media to express their anger over the decision. “I’ve been showing off my Sonos system to everyone who visits. Now I’ll be warning everyone to buy anything but. Feeling abused,” wrote the Twitter user @gregoryseguin in a post that captured the sentiments of many customers.
But Sonos users have more to worry about than Spotify playlists cut short. Both research and recent events indicate that un-patched and unsupported, Internet connected products are targets of opportunity for malicious actors.
Malware like the Mirai botnet demonstrated the risk posed by large populations of vulnerable or unpatched and connected devices. In that incident, more than 100,000 digital video recorders, webcams and other devices were compromised by a malicious program, then enlisted to launch crippling denial of service attacks against individuals and companies.
Since that time, Mirai variants have been linked to large denial of service attacks on banks and other targets, leveraging global populations of Internet connected and unpatched IoT endpoints.
Often, IoT devices contain simple software configuration errors or coding problems that result in security holes. For example, last year millions of Imperial Dabman IoT radios were found to ship with weak passwords that could allow a remote attacker to achieve root access to the gadgets’ embedded Linux operating system. Such issues can be addressed in software updates and patches – but not if that kind of support is discontinued.
Sonos’ has sold millions of Internet connected speakers since its founding 17 years ago. And the company has cultivated a reputation for solidly built and high-quality (if expensive) hardware. Historically, software updates and patches have been part of the package. For example, in 2017, researchers at the security firm Trend Micro reported that models of Sonos’s Play:1 and Sonos One speakers were vulnerable to remote attacks that could take control of the devices. A scan of the Internet reveals thousands of Sonos devices including Sonos One and models of the Sonos:Play device that are publicly accessible.
According to the company, customers will have the option of simply continuing to use the products without support. Or, customers can “recycle” their legacy Sonos gear and receive a 30% discount on replacement gear.
The move is just the latest in which manufacturers have announced they are abandoning products, or discontinuing support for them. Microsoft announced that e-books purchased on its online store would disappear from their virtual bookcases in July, 2019 when it disabled a digital rights management (DRM) server used to manage the site.
In September, Apple, also, announced a range of older iPhones and iPads that will not be able to work with its new iOS 13 release, rendering those devices, also, un-supportable.
Embedded device makers like NetGear, ASUS and others make public protestations about their commitment to product security. But there is little objective evidence that such statements are anything more than words. For example, an extensive study of thousands of device firmware images those companies and 16 other vendors by the Cyber Independent Test Lab found that the security of device firmware is terrible and has not improved in any measurable way over the last 15 years, even as attacks on connected devices like home routers have spiked.
“Nobody is trying,” said Sarah Zatko, the Chief Scientist at the Cyber Independent Testing Lab (CITL), a non-profit organization that conducts independent tests of software security. “We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products,” she said.
For their part, consumers suffer from “information asymmetry,” according to a study published by The Internet Society. Consumers lack the domain expertise to evaluate vendor claims about the security of their products. Beyond that, “the consumer is rarely provided with information on product aftercare: the regularity of updates, the speed with which security holes will be patched, and the duration of ongoing device support.”