Sunday, November 17, 2024
HomeVulnerability AnalysisGoogle Home Smart Speaker Flaw Let Attackers Spy on User Conversations

Google Home Smart Speaker Flaw Let Attackers Spy on User Conversations

Published on

The Google Home smart speaker was hacked recently by a security analyst (Matt Kunze) who found that there is a flaw that could allow hackers to install a backdoor on it. 

This could enable threat actors to spy on the device and conversations of users by accessing the microphone feed to control the speaker remotely.

A total of $107,500 was awarded to Matt for his responsibility in reporting security issues found in Google Home. In an earlier publication, the researcher provided technical details about how the flaw can be exploited and outlined an attack scenario for demonstrating the flaw’s application.

- Advertisement - SIEM as a Service

Google Home Smart Speaker Flaw

As an experiment was being conducted by the researcher with the use of his own Google Home mini speaker, he found that he was able to send commands to the speaker remotely by using the Google Home application, which makes use of the cloud API to send commands.

In order to find out whether Google Home has any local HTTP API, the researcher used the Nmap scan tool to locate the port. To capture the encrypted HTTPS traffic, he set up a proxy in the hopes of stealing the user authorization token from the traffic.

There seems to be a two-step process required to add a new user to the target device that the researcher discovered. There are several elements from the local API that it requires in order to accomplish this and here they are mentioned below:-

  • Device name
  • Certificate
  • Cloud ID

A link request could be sent to the Google server using this information. Using a Python script, the analyst automated the exfiltration of local device data and replicated the link request to add the rogue user to a target Google Home device.

In support of the actions listed above, the researcher published three proofs-of-concept on GitHub. The latest firmware version of Google Home, however, should not be compatible with these devices.

It is possible to perform the following actions via the Google Home speaker when a rogue account is associated with the target device:-

  • Controlling smart switches
  • Making online purchases
  • Remotely unlocking doors
  • Remotely unlocking vehicles
  • Brute-forcing the user’s PIN for smart locks

Moreover, the researcher discovered that adding a piece of code to a malicious routine will allow the command “call [phone number]” to be exploited by the attacker.

By using this method, the attacker would be able to call the attacker’s number and receive a live audio feed through the microphone at a specified time.

A blue LED would be visible on the device during a call, which is the only indication that there is some activity going on during the call. It is possible that if the victim notices it, they may assume that the firmware is being updated on the device.

There is a standard indicator for the activation of the microphone which uses a pulsing LED, but this does not occur while the call is in progress.

Patch for Google Home Smart Speaker

In January 2021, Kunze became aware of the problems, and Google fixed all of them by April of that same year. Due to the use of Google Play Services OAuth APIs, patching and repackaging the Google Home app is not possible, so root access is necessary to intercept the traffic it sends and receives.

In this patch, a new invite-based system has been introduced that will deal with the linking of accounts. There is still a way to deauthenticate Google Home, but it cannot be used to link a new Google account if you want to do so. 

Therefore it is also impossible to access the local API that was responsible for leaking basic device data.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New AI Tool To Discover 0-Days At Large Scale With A Click Of A Button

Vulnhuntr, a static code analyzer using large language models (LLMs), discovered over a dozen...

Critical Automative 0-Day Flaws Let Attackers Gain Full Control Over Cars

Recent discoveries in the automotive cybersecurity landscape have unveiled a series of critical zero-day...

Pootry EDR Killer Malware Wipes Out Security Tools From Windows Machine

Windows drivers can be abused to bypass security measures. Attackers can exploit vulnerabilities in...