According to a recent report, a bug in Google Home smart speakers allowed for the installation of a backdoor account that could be used to control the device and access its microphone feed. In short, hackers could take over Google’s devices to spy on users by listening in on their conversations.
Bleeping Computer reports that a vulnerability in Google Home smart speakers allowed the creation of a backdoor account that could be used to remotely control the device and access its microphone feed, potentially turning it into a spying tool.
The flaw was discovered by researcher Matt Kunze, who received a $107,500 reward for responsibly reporting it to Google in the previous year. Kunze published technical details and an attack scenario illustrating the exploit late last week.
During his experimentation with a Google Home Mini speaker, Kunze discovered that new accounts created using the Google Home app could remotely send commands to the device through the cloud API. In order to capture the encrypted HTTPS traffic and potentially obtain the user authorization token, the researcher used a Nmap scan to locate the port for the local HTTP API of Google Home and set up a proxy.
Kunze found that adding a new user to the target device involves two steps: obtaining the device name, certificate, and “cloud ID” from its local API. This information makes it possible to send a link request to the Google server. To add an unauthorized user to a target Google Home device, Kunze implemented the linking process in a Python script that automated the extraction of local device data and reproduced the linking request.
The researcher released three proof-of-concept scripts on GitHub that demonstrate the actions involved in the hack. However, these scripts should not be effective on Google Home devices running the latest firmware version. The proofs-of-concept go beyond simply adding an unauthorized user and also enable spying through the microphone, making arbitrary HTTP requests on the victim’s network, and reading/writing arbitrary files on the device.
Read more at Bleeping Computer here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan