bluesound-speakers-api/README.md

# Exploiting Insecure WIFI Speakers

This is very old, from when I was around 18. But it was fun, so I thought I'll describe the process from memory. 

I knew someone who had [Bluesound](https://www.bluesound.com/) WIFI speakers and I got curious about them.

They were controllable by a dedicated smartphone app. 

I installed a packet capture app on my phone and tried a bunch of things in the Bluesound app. To my amazement, the app was sending pure, **unencrypted and unauthenticated `http` requests** to the speaker for every action I took, like play, pause, change track, etc. I captured enough to reverse engineer the protocol.

What I thought would be fun, was to write a script that scans the whole network for Bluesound speakers, and then plays the [nyancat song](https://www.youtube.com/watch?v=2yJgwwDcgV8&pp=ygUIbnlhbiBjYXQ%3D) on all of them (it was still enough of a meme back then).

[bluesound.py](bluesound.py) is that script, I am posting this unedited, just the way I found it on my hard drive. It's fun to see how differently I approached coding back then and how much I've learned since. I'm not even sure the network scanning code works, it looks like it shouldn't :) I probably didn't know about subnets and netmasks.

## is this kind of a real vulnerability?

If you search on Shodan for `Brand Display Name: Bluesound` ([link to search](https://www.shodan.io/search?query=Brand+Display+Name%3A+Bluesound)), it shows 137 results. This means you can control other people's speakers with `curl`!

so idk

## Disclaimer

Please be responsible with this. I am not accountable for misuse of this code or technique, I am just sharing an interesting find. Only try it at your own risk, on devices you own or have the owner's informed consent for.
sharing the code 2024-07-03 21:12:23 +02:00			`# Exploiting Insecure WIFI Speakers`

			`This is very old, from when I was around 18. But it was fun, so I thought I'll describe the process from memory.`

			`I knew someone who had [Bluesound](https://www.bluesound.com/) WIFI speakers and I got curious about them.`

			`They were controllable by a dedicated smartphone app.`

fixed typo 2024-07-03 21:45:37 +02:00			I installed a packet capture app on my phone and tried a bunch of things in the Bluesound app. To my amazement, the app was sending pure, unencrypted and unauthenticated `http` requests to the speaker for every action I took, like play, pause, change track, etc. I captured enough to reverse engineer the protocol.
sharing the code 2024-07-03 21:12:23 +02:00
punctuation in readme for better readability 2024-07-03 21:14:53 +02:00			`What I thought would be fun, was to write a script that scans the whole network for Bluesound speakers, and then plays the [nyancat song](https://www.youtube.com/watch?v=2yJgwwDcgV8&pp=ygUIbnlhbiBjYXQ%3D) on all of them (it was still enough of a meme back then).`
sharing the code 2024-07-03 21:12:23 +02:00
i looked at the script 2024-07-03 21:23:36 +02:00			`[bluesound.py](bluesound.py) is that script, I am posting this unedited, just the way I found it on my hard drive. It's fun to see how differently I approached coding back then and how much I've learned since. I'm not even sure the network scanning code works, it looks like it shouldn't :) I probably didn't know about subnets and netmasks.`
sharing the code 2024-07-03 21:12:23 +02:00
			`## is this kind of a real vulnerability?`

			If you search on Shodan for `Brand Display Name: Bluesound` ([link to search](https://www.shodan.io/search?query=Brand+Display+Name%3A+Bluesound)), it shows 137 results. This means you can control other people's speakers with `curl`!

			`so idk`

			`## Disclaimer`

			`Please be responsible with this. I am not accountable for misuse of this code or technique, I am just sharing an interesting find. Only try it at your own risk, on devices you own or have the owner's informed consent for.`