Smart Speaker Shenanigans - Making the SONOS One Sing

Dive into a captivating conference talk that explores the unexpected twists and turns of security research on smart speakers. Follow along as the presenter recounts their journey investigating the SONOS One Smart Speaker for the Pwn2Own competition, which led to a deep dive into the secure boot implementation of the AMLogic system-on-a-chip and SONOS proprietary flash encryption. Learn about ARM Trusted Firmware Design essentials and the challenges faced when examining the SONOS One. Discover how the research pivoted to a "softer" target, a Lenovo smart clock, to gain insights into a similar system. Explore a vulnerability that allows for decryption of Lenovo bootloader blobs without revealing the actual keys. Delve into the analysis of EL3 secure monitor code and the exploitation of a zero-day vulnerability to compromise the EL3 privileged context. Apply these learnings to the SONOS One system and overcome obstacles using a DMA attack over the PCI express bus. Witness the process of blind memory corruption exploitation to break the secure monitor on SONOS, leading to the extraction of secrets from OTP memory and the protected BootROM. Finally, uncover the modifications SONOS made to the Linux kernel LUKS encryption subsystem and learn how to recover AES-XTS keys for filesystem decryption using the dumped OTP memory secrets. This talk is perfect for those interested in low-level tinkering, hardware, ARM assembly, and breaking modern privilege boundaries.