In the dead of night, you awake to the sound of a creaking door. Upon finally falling back asleep, a dish smashes to the floor downstairs. Over the next few nights, it gets worse: First footsteps, then a wailing child in the distance. As rational as you consider yourself, it feels inescapable: This house is haunted. Before you freak out, you might want to check your Sonos app.
That’s because you’ve probably fallen victim to Ghosty, an inventive Sonos hack created by a developer named Aaron Gotwalt. Using an unofficial Sonos API, some spooky audio files, and a Raspberry Pi, Gotwalt built a system that allows you subtly take control of a Sonos system and freak people out with sounds that are straight out of a haunted mansion.
“Sonos and many other devices like it–things that live in our homes, connected to our network connections–have no effective security inside the network they’re on,” says Gotwalt. “As a result, it’s quite easy to manipulate these devices for home automation purposes.”
Some home automation products already put wireless speaker systems to work in useful and interesting ways. But if you ever wanted to tap into one’s Sonos speakers for the sole purpose of gradually driving people out of their minds for your own entertainment, you were out of luck. Until now.
Sonos doesn’t have an officially documented API, so Gotwalt–who contributes to the Sonos Ruby gem–helped craft an unofficial one.
“By observing and reverse-engineering the way that their official client software interacts with the devices we’ve managed to reconstruct a significant feature set,” he says.
For Gotwalt, Ghosty is a proof of concept. With it, he hopes to demonstrate that the same unofficial APIs used for more useful purposes can be used for “unexpected things,” as he puts it. In this case, horrifying anyone with a Sonos system.
Gotwalt’s code runs off of a tiny Raspberry Pi, which can be surreptitiously connected to the same network as the Sonos speakers. Once it’s running on the network, the creepy little app will randomly select speakers–which are typically situated in different rooms–lower the volume, and play haunted house sound effects at frustratingly random (and thus unpredictable) intervals. The only way to detect what’s happening, Gotwalt explains, is by looking at the Sonos Controller app while the sounds are playing. Otherwise, the whole thing is pretty much invisible to the victim.
“This was originally built to prank some coworkers who have tons of Sonos products,” says Gotwalt. “I think it also asks interesting questions about the security of network-connected devices in our homes while being a benign little hack.”
Despite the lack of an official API, this isn’t the first time somebody has hacked Sonos. This Twilio-Sonos integration is just one example. A GitHub search for “Sonos” turns up many more. As tempting as it may be to try, Gotwalt admits, Ghosty is not exactly plug-and-play. As of now, it’s probably best suited for engineering types. More adventurous tinkerers may want to read the documentation closely and consider reaching out for extra help.
Either way, the project offers an inspirational hint at what’s possible in the era of connected, hackable devices.