.png?width=1816&height=566&name=brandmark-design%20(83).png "Tech Channels - IT News, Resources & Insights")
The recent disclosure of vulnerabilities in Sonos devices is a reminder that AV is no longer a hardware discipline with incidental software. It is a software-defined environment with physical endpoints. And software brings supply chain risk.
The AV industry has spent the past decade chasing smarter systems, sleeker interfaces, and frictionless integration. Touch panels replaced switches and cloud dashboards replaced racks of blinking lights while speakers gained microphones and displays gained operating systems. Everything became connected.
But accountability for the code running underneath did not evolve at the same pace.
In August 2024, security researchers Robert Herrera and Alex Plaskett of NCC Group presented findings at Black Hat USA showing how certain Sonos devices could be manipulated through multiple vulnerabilities, effectively enabling covert audio capture. Sonos cooperated with the researchers and issued patches. The exploit required physical access or proximity, which reduces large-scale remote threat scenarios.
But that is not the point.
The deeper issue is architectural. One of the vulnerabilities involved a MediaTek driver component. That driver, or similar OEM-level code, may exist across numerous other Android-based products and a flaw discovered in one product family becomes a potential exposure across many others.
This is no longer a single-device problem. It is a software supply chain problem.
AV systems today are built on embedded Linux distributions, third-party drivers, open-source libraries, and cloud-based services. Microphones, cameras, and control processors are no longer passive hardware. They are networked compute nodes with firmware, patch cycles, and dependency trees.
Yet the AV industry rarely documents those dependencies with the same rigor IT teams demand. Which leads to the concept AV must adopt more aggressively: the Software Bill of Materials.
A Software Bill of Materials (SBOM) is an ingredient list for software. It catalogs components, suppliers, version strings, hashes, and relationships. When a vulnerability is discovered in a specific library or driver, organizations can quickly identify every system that contains it.
AV integrators are meticulous about hardware Bills of Materials. Every cable, matrix switch, and mounting bracket is tracked. But how many projects include firmware version logs? How many integrators maintain transparency around open-source packages embedded in control processors? How many clients can request a full software dependency map for their AV infrastructure?
Without that visibility, vulnerability management becomes guesswork.
The Sonos case also reveals the ongoing shift in mindset. Many assume that a speaker is simply an audio output device. In reality, modern smart speakers include microphones, wireless radios, authentication stacks, and remote update services. If a device has a microphone, it is a potential listening surface. If there is a camera, it is a surveillance vector. If it connects to a network, it becomes part of the broader threat landscape.
The engineer who raised this issue made a personal decision to avoid unnecessary connected devices at home. In enterprise AV, abstinence is not an option. Boardrooms, command centers, and collaboration spaces depend on intelligent systems.
But intelligent systems require intelligent governance.
As AV increasingly converges with IT, clients will expect software transparency. Government and defense contracts already demand supply chain visibility. Enterprise cybersecurity teams will ask integrators for firmware provenance and component inventories. The Sonos vulnerabilities were responsibly disclosed and patched. That reflects a mature vendor response. The broader lesson is more structural: AV must treat software components with the same scrutiny as physical hardware. Because in modern AV, the risk does not reside in the speaker grille. It resides in the code behind it.
The industry has embraced smartness. It now needs to embrace traceability.
