A security researcher has discovered a vulnerability in Google Home devices that allows hackers to remotely gain full access to the device, giving them the ability to listen in on conversations and perform other actions. The researcher found that adding new users to the device is as simple as entering an email address, which prompted him to investigate further. He discovered that by capturing HTTP traffic from the device, he was able to analyze the process of adding a new user and found that the device authenticates new users with three pieces of information: the device name, certificate, and Cloud ID. He also found that it is possible to remotely force a Google Home to spawn an unprotected Wi-Fi hotspot that can be used to query the device’s API and gain access to the device. The vulnerability has been patched by Google after the researcher responsibly disclosed it.
What is happening?
A newly discovered bug in Google home devices has the potential to turn the meme of smart speakers spying on you into a reality. A security researcher discovered a vulnerability that allows hackers to remotely gain full access to a Google home device. This means that they can do anything they want, including listening in on your conversations.
How did he find it?
The researcher behind this discovery explains that he was messing with his Google home and noticed how easy it was to add new users to the device from the Google home app. It’s as straightforward as entering an email address. But this simplicity tickled the researcher’s curiosity and he investigated further.
After capturing HTTP traffic from the device, he analyzed how the process of adding a new user really works. He discovered that after entering an email address, the app sends an HTTP request to Google servers asking them to add the new user. The request is authenticated with three pieces of information: your device name, certificate, and Cloud ID.
So theoretically, if an attacker was able to get their hands on these three pieces of information unique to your Google home, they could give themselves full access to your device. And it turns out that getting this trio of information is as simple as just asking the device for it, as long as you know a Google home’s IP address.
What’s the challenge here?
But the catch, of course, is that a hacker would need to be on the same Wi-Fi network as the Google home in order to send this request, and hacking a Wi-Fi router is a whole challenge in of itself. So, this is a fairly big caveat. But this is when the researcher made yet another discovery. It’s possible to remotely force a Google home to spawn its own unprotected Wi-Fi hots.
Conclusion
The security researcher responsibly disclosed this to google and is now patched. He was also awarded 107,500 dollars as reward.
