Have you heard? Google home speakers, unfortunately, have a flaw that allows hackers to establish a backdoor account and remotely manage, access, and listen to the devices.
- Chinese Hackers Stole Millions in COVID-19 Relief Funds
- DICT Plans to Train 500k Global Cybersecurity Workers
Last year, researcher Matt Kunze found the problem and got $107,500 (around ₱6 million) for reporting it to Google in a responsible way. The researcher gave technical information about the defect and a possible attack scenario to show how it could be used.
To give a short story, Matt Kunze was playing around with his own Google Home mini speaker when he found that new accounts added through the Google Home app could use the cloud API to send commands to it from far away.
Using Nmap, the researcher located Google Home’s HTTP API port, so he set up a proxy to collect HTTPS traffic and steal the user authorization token.
Adding a new user to the target device is a two-step process that needs the device name, certificate, and “cloud ID” from its local API. With this information, they could ask the Google server for a link.
The researcher’s blog summarizes the attack:
- The attacker wants to snoop on the victim near Google Home without the victim’s Wi-Fi password.
- The attacker finds the victim’s Google Home by listening for Google MAC addresses (e.g., E4:F0:42).
- The attacker sends deauth packets to disconnect and re-set up the device.
- The attacker connects to the device’s setup network and requests device info like name, cert, cloud ID.
- The attacker utilizes device details to link their account to the victim’s device.
- The attacker can now snoop on the victim’s Google Home online without being close to the speaker.
Kunze found the problem for the first time in January 2021. He told Google more about it in March; by April 2021, all the issues had been fixed by Google.