A flaw in the Google Home smart speaker made it possible to install a backdoor account that could be used to remotely manage the device and convert it into an eavesdropping device by accessing the microphone feed. This was made possible due to the issue.
Matt Kunze, a researcher, was the one who identified the vulnerability and was rewarded with $107,500 by Google for appropriately disclosing it the previous year. This researcher revealed technical details about the discovery earlier this week, along with an attack scenario that demonstrated how malicious actors might exploit the vulnerability.
The researcher made the discovery as he was playing around with his personal Google Home tiny speaker. He found out that new accounts that were established by using the Google Home app were able to send instructions to the device remotely over the cloud API.
The researcher located the port for the local HTTP API of Google Home by using Nmap to do a scan, and then he set up a proxy to intercept the encrypted HTTPS traffic in the hopes of stealing the user authorization token.
According to the researcher, adding a new user to the target device is a two-step procedure that needs the device name, certificate, and “cloud ID” from its local API. They might use this information to submit a link request to the Google server.
An analyst built the link procedure in a Python script, which then automated the exfiltration of the local device data and repeated the linking request. This allowed the analyst to add a malicious user to a target Google Home device.
A rogue account that is attached to the target device makes it feasible to conduct activities through the Google Home speaker. These actions include activating smart switches, making online purchases, remotely opening doors and automobiles, and surreptitiously brute-forcing the user’s PIN for smart locks.
Worse still, the researcher discovered a method to exploit the “call [phone number]” command by adding it to a malicious script that would activate the microphone at a predetermined time, contact the attacker’s number, and provide a live feed from the microphone. This is a very concerning discovery.
Last but not least, the hijacked smart speaker may also be used to play media, rename it, force a reboot, make it forget any saved Wi-Fi networks, force new Bluetooth or Wi-Fi connections, and more.
Kunze noticed the problems in January 2021 and supplied further information and proofs-of-concept in March 2021. Google will have resolved all issues by April 2021.
The patch introduces a new invite-based mechanism for dealing with account links, which prevents any efforts that are not added to Home.
It is important to keep in mind that Google Home was launched in 2016, scheduled routines were added in 2018, and the Local Home SDK was provided in 2020. This means that an attacker who discovered the flaw prior to April 2021 would have had plenty of time to take advantage of it.
To report a factual error in any of the posts on FilmiFeed.com, please use this form. We endeavor to be promptly responsive in correcting errors in the material published on digital platforms. You can also use the following email to report directly: