A security researcher found a severe security vulnerability in the Google Home speaker that could allow spying on users. An adversary could easily install a backdoor to the target device to exploit it as a spy tool.
Google Home Speaker Vulnerability
The researcher Matt Kunze has shared the details about an interesting discovery he made last year in his recent post. As revealed, he noticed a serious vulnerability in the Google Home speaker that could allow eavesdropping on the users.
Specifically, he observed the flaw while inspecting his Google Home device. The fact that the Google Home app allowed linking other user accounts, he became curious about this account linking process as it would give immense control to the new accounts. Thus, he suspected an adversary could exploit this feature to connect rogue accounts and take over target devices.
Following this hypothesis, he used Nmap scan to find the local HTTP API port for Google Home and moved ahead to capture HTTPS traffic. After researching a bit, Kunze could reproduce the account linking request by implementing the process in a Python script.
Once done, the researcher could then create malicious routines via different voice commands. For instance, the “call [phone number]” command would activate the microphone to send voice feeds to the attacker’s phone number. (Kunze referred to the previously reported LightCommands attack to come up with this idea, alongside mentioning many other studies.)
Having such explicit access to the target Google Home allowed the attacker to
- access local auth tokens
- use the local API to change device settings
- execute commands via “routines”
- install “actions” such as “smart home actions” to execute various activities
The researcher has also shared various PoCs for this attack, depicting different attack scenarios. For instance, the following video shows how an attacker could remotely initiate a call.
Google Patched The Flaw
Following this discovery in August 2021, the researcher contacted Google to report the matter. Consequently, the tech giant developed a patch for this issue to protect users’ privacy. Kunze confirmed that Google prevented remote initiation of “Call [phone number]” commands via “routines” and implemented a necessary request invite feature from the Home app to link an account.
Besides releasing a fix, Google rewarded the researcher with a $107,500 bounty.
Let us know your thoughts in the comments.