Home automation is becoming more widespread and having devices that we can control by voice or via mobile is very common. However, sometimes we can find vulnerabilities and problems that affect security or privacy . In this article we echo a problem with Google Home speakers that has allowed hackers to listen to all conversations. An external attacker could control the device remotely.
Security flaw in Google Home speakers
Specifically, it is a bug in the Google Home speakers that allowed an attacker to install a back door which could be used for eavesdropping. They could remotely control the device and access the microphone. They could listen to conversations and, logically, compromise the privacy of the victim.
But how have you detected this problem? It was through a bounty program to detect vulnerabilities and Google offered a financial sum for it. Security researcher Matt Kunze was the one who made the discovery and later published the technical details and how they could exploit the problem.
This security researcher started experimenting with a Google Home speaker. It found that new accounts added through the Google Home app could send commands remotely through the cloud API. It was able to capture the traffic. I could send a link request to the Google server and be able to initiate the link.
On GitHub he uploaded the full report on how he managed to exploit this bug. There he shows how it is possible to spy on a victim over the Internet using a Google Home speaker.
What they can do through the Google Home speaker
Having an unauthorized account linked to a Google Home speaker can be a major problem. That empowers an attacker to control smart plugs, make online purchases, or even access smart locks that may be linked.
To all this we must add the possibility of activating the microphone at a certain time. They do this by being able to make a call to a phone controlled by the attacker. Basically what it does is listen to that call, listen to everything that’s being said on the other end, on the Google Home speaker microphone. A way to spy on the victim.
But wouldn’t the victim notice anything if they were listening? The only thing you would see is the blue LED light illuminated. That would indicate a call is in progress, but can be mistaken for a firmware update.
An attacker could even play audio on that speaker. It could also force pairing with other devices, be they Bluetooth or Wi-Fi, as well as forget about linked wireless networks.
How can you avoid being spied on like this if you have a Google Home speaker? The solution is very simple: make sure you have the updated firmware. Not surprisingly, once the security researcher informed Google, they got to work and released patches to fix the problem. If you have the latest versions, you should not fear this vulnerability.