The Google Home smart speaker was hacked recently by a security analyst (Matt Kunze) who found that there is a flaw that could allow hackers to install a backdoor on it.
This could enable threat actors to spy on the device and conversations of users by accessing the microphone feed to control the speaker remotely.
A total of $107,500 was awarded to Matt for his responsibility in reporting security issues found in Google Home. In an earlier publication, the researcher provided technical details about how the flaw can be exploited and outlined an attack scenario for demonstrating the flaw’s application.
Google Home Smart Speaker Flaw
As an experiment was being conducted by the researcher with the use of his own Google Home mini speaker, he found that he was able to send commands to the speaker remotely by using the Google Home application, which makes use of the cloud API to send commands.
In order to find out whether Google Home has any local HTTP API, the researcher used the Nmap scan tool to locate the port. To capture the encrypted HTTPS traffic, he set up a proxy in the hopes of stealing the user authorization token from the traffic.
There seems to be a two-step process required to add a new user to the target device that the researcher discovered. There are several elements from the local API that it requires in order to accomplish this and here they are mentioned below:-
- Device name
- Certificate
- Cloud ID
A link request could be sent to the Google server using this information. Using a Python script, the analyst automated the exfiltration of local device data and replicated the link request to add the rogue user to a target Google Home device.
In support of the actions listed above, the researcher published three proofs-of-concept on GitHub. The latest firmware version of Google Home, however, should not be compatible with these devices.
It is possible to perform the following actions via the Google Home speaker when a rogue account is associated with the target device:-
- Controlling smart switches
- Making online purchases
- Remotely unlocking doors
- Remotely unlocking vehicles
- Brute-forcing the user’s PIN for smart locks
Moreover, the researcher discovered that adding a piece of code to a malicious routine will allow the command “call [phone number]” to be exploited by the attacker.
By using this method, the attacker would be able to call the attacker’s number and receive a live audio feed through the microphone at a specified time.
A blue LED would be visible on the device during a call, which is the only indication that there is some activity going on during the call. It is possible that if the victim notices it, they may assume that the firmware is being updated on the device.
There is a standard indicator for the activation of the microphone which uses a pulsing LED, but this does not occur while the call is in progress.
Patch for Google Home Smart Speaker
In January 2021, Kunze became aware of the problems, and Google fixed all of them by April of that same year. Due to the use of Google Play Services OAuth APIs, patching and repackaging the Google Home app is not possible, so root access is necessary to intercept the traffic it sends and receives.
In this patch, a new invite-based system has been introduced that will deal with the linking of accounts. There is still a way to deauthenticate Google Home, but it cannot be used to link a new Google account if you want to do so.
Therefore it is also impossible to access the local API that was responsible for leaking basic device data.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book