- In Jan 2021 someone found a bug in Google Home devices that allowed hackers to control the device and access its microphone from far away
- The person who found the bug told Google about it and received a $107,500 reward
- The bug allowed hackers to add a new user to the device and use the device to listen, do things on the victim’s internet, and look at or change files on the device
- The bug also allowed hackers to make the device call a phone and listen through the device’s microphone
- Google fixed the bug in April 2021
- It is now harder to add new users to the device and the “call [phone number]” command is harder to use to listen through the microphone
Hackers have been able to snoop on conversations through Google Home smart speakers due to a bug in the system, according to researcher Matt Kunze.
Kunze discovered the issue and reported it responsibly to Google, receiving a $107,500 reward in return.
Earlier this week, Kunze released technical details and an attack scenario to demonstrate how the flaw could be exploited.
While experimenting with his own Google Home mini speaker, Kunze found that new accounts added through the Google Home app could send commands to the device remotely via the cloud API.
By using a Nmap scan, Kunze was able to locate the port for the local HTTP API of the Google Home and set up a proxy to capture encrypted HTTPS traffic in an attempt to obtain the user authorization token.
Kunze discovered that adding a new user to the device is a two-step process that requires the device name, certificate, and “cloud ID” from its local API.
With this information, an attacker could send a link request to the Google server.
Kunze developed a Python script that automated the exfiltration of local device data and the linking request process, and published three proof-of-concepts (PoCs) on GitHub that show how a rogue user could be added to a target Google Home device.
However, these PoCs should not work on Google Home devices running the latest firmware.
The PoCs not only allow for the planting of a rogue user, but also enable spying through the microphone, making arbitrary HTTP requests on the victim’s network, and reading/writing arbitrary files on the device.
“Having a rogue account linked to the target device makes it possible to perform actions via the Google Home speaker, such as controlling smart switches, making online purchases, remotely unlocking doors and vehicles, or stealthily brute-forcing the user’s PIN for smart locks,” Kunze explained.
Kunze also found a way to abuse the “call [phone number]” command by adding it to a malicious routine that would activate the microphone at a specified time, call the attacker’s number, and send live microphone feed.
The device’s LED would turn blue during the call, which is the only indication that something is occurring.
If the victim notices the blue LED, they may believe the device is simply updating its firmware.
In addition to spying and issuing commands, it is also possible to play media on the compromised smart speaker, rename it, force a reboot, make it forget stored Wi-Fi networks, and force new Bluetooth or Wi-Fi pairings.
Kunze discovered the issue in January 2021 and provided additional details and PoCs in March. Google addressed the problem in April of that year by implementing an invite-based system for handling account links and blocking any attempts not added on the Home device.
The “call [phone number]” command has also been protected against remote initiation through routines.