The Roku streaming video device and the Sonos Wi-Fi speakers suffer from the same DNS rebinding flaw reported in Google Home and Chromecast devices earlier this week.

The devices don’t require authentication for connections received on a local network; and, HTTP is used to configure or control embedded devices.

A team of academic researchers has demonstrated that it’s possible to possible to closely mimic legitimate voice commands in order to carry out nefarious actions on these home assistants.