Perhaps you've been hearing strange sounds in your home—ghostly creaks and moans, random Rick Astley tunes, Alexa commands issued in someone else's voice. If so, you haven't necessarily lost your mind. Instead, if you own one of a few models of internet-connected speaker and you've been careless with your network settings, you might be one of thousands of people whose Sonos or Bose devices have been left wide open to audio hijacking by hackers around the world.

Researchers at Trend Micro have found that some models of Sonos and Bose speakers—including the Sonos Play:1, the newer Sonos One, and Bose SoundTouch systems—can be pinpointed online with simple internet scans, accessed remotely, and then commandeered with straightforward tricks to play any audio file that a hacker chooses. Only a small fraction of the total number of Bose and Sonos speakers were found to be accessible in their scans. But the researchers warn that anyone with a compromised device on their home network, or who has opened up their network to provide direct access to a server they're running to the external internet—say, to host a game server or share files—has potentially left their fancy speakers vulnerable to an epic aural prank.

"The unfortunate reality is that these devices assume the network they're sitting on is trusted, and we all should know better than that at this point," says Mark Nunnikhoven, a Trend Micro research director. "Anyone can go in and start controlling your speaker sounds," if you have a compromised devices, or even just a carelessly configured network.

Trend's researchers found that scanning tools like NMap and Shodan can easily spot those exposed speakers. They identified between 2,000 and 5,000 Sonos devices online, depending on the timing of their scans, and between 400 and 500 Bose devices. The impacted models allow any device on the same network to access the APIs they use to interface with apps like Spotify or Pandora without any sort of authentication. Tapping into that API, the researchers could simply ask the speakers to play an audio file hosted at any URL they chose, and the speakers would obey.

The researchers note that audio attack could even be used to speak commands from someone's Sonos or Bose speaker to their nearby Amazon Echo or Google Home. They went so far as to test out the attack on the Sonos One, which has Amazon's Alexa voice assistant integrated into its software. By triggering the speaker to speak commands, they could actually manipulate it into talking to itself, and then executing the commands it had spoken.