As an indispensable part of our modern life, Smart Speakers have become a crucial role of Home Automation Systems. With Sonos emerging as a leader in this space, they have prioritized security, resulting in its Sonos One Speaker becoming as a Pwn2Own target for 3 consecutive years. As the first team to successfully hack it, we will share our experiences, stories, and insights throughout our past 3-year research journey. Our talk will explore attacks on the hardware, firmware, and software levels, as well as discuss the evolution of defenses we have observed from Sonos. We will also recount the cat-and-mouse game we played with the Sonos security team: Why were they always able to kill our vulnerabilities so precisely right after we developed a working exploit? This forces us to exhaust 4 different types of 0day to conquer a single Pwn2Own target.
The saga begins with our amusing but failed attempt in the first year, followed by our strong comeback in the second year, where we successfully took over the target using an Integer Underflow. After the competition, we witnessed a significant leap in Sonos’s defense mechanisms, which made our struggle with the Sonos security team even more challenging in the third year. To provide a comprehensive overview of our research, we will cover hardware attacks such as leveraging DMA Attack to jailbreak and obtain a Local Shell; firmware analysis, from firmware decryption to vulnerability discovery in the firmware over-the-air (FOTA) mechanism; and of course, software-level attack surface analysis and vulnerability mining in different ways. We will detail the stories behind our successful exploitations, such as bypassing all protections to exploit the target, racing the Thread Stack to different primitives to exploit the Stack Clash, and leveraging different types of vulnerabilities to achieve RCEs. These stories are all essential parts of our journey to win the Pwn2Own Toronto 2022 championship trophy and at least $80K in rewards.
Orange Tsai, is the principal security researcher of DEVCORE and the core member of CHROOT security group in Taiwan. He is also the champion and the "Master of Pwn" title holder in Pwn2Own 2021/2022. In addition, Orange has spoken at several top conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB GSEC/AMS, CODE BLUE, POC, and WooYun!
Currently, Orange is a 0day researcher focusing on web/application security. His research got not only the Pwnie Awards for "Best Server-Side Bug" winner of 2019/2021 but also 1st place in "Top 10 Web Hacking Techniques" of 2017/2018. Orange also enjoys bug bounties in his free time. He is enthusiastic about the RCE bugs and uncovered RCEs in numerous vendors such as Twitter, Facebook, Uber, Apple, GitHub, Amazon, etc.
Twitter: @orange_8361 Blog: http://blog.orange.tw/