Earlier this week, a researcher/programmer/ethical hacker Matt Kunze released a blog post detailing a serious vulnerability in Google smart home speakers that could give hackers remote control over the devices. In his blog post, Matt details how the vulnerability was discovered and then explains in frightening details exactly how this backdoor could be used to access a wide range of commands and actions using the affected Google speaker.
The potential for attack stemmed from a vulnerability that could allow someone to add themselves to the Google Home App. From there, a hacker would have the ability to control devices connected to the account. Once connected, an attacker could utilize voice commands to activate the microphone on a given device. You can imagine how much chaos could ensue from that point. Potentially, the device could then be used to do anything that the Google speaker was capable of as it relates to any other connected devices in the home. Here are some examples of potential actions:
- Control smart home switches
- Open smart garage doors
- Make online purchases
- Remotely unlock and start certain vehicles
- Open smart locks by stealthily brute forcing the user’s PIN number
Matt turned his attention to another potential action that attackers could trigger once they gained access to the Home App. Phone calls. By setting up a routine attached to a specific device, Matt was able to trigger his Google Home Mini to call his phone at a specific time based on the routine. In the video below, you can see the routine in action. Very cool and very frightening at the same time.
Given the fact that the hack gave the attacker access to the devices microphone, Matt laid out a potential scenario in which the attacker could use a Google smart speaker to spy on a household. Essentially, giving the attacker untethered access to listen from the speaker at any time. As pointed out in his blog post, this hack would not require the attacker to have wi-fi credentials to access the device.
- Victim installs attacker’s malicious Android app.
- App detects a Google Home on the network via mDNS.
- App uses the basic LAN access it’s automatically granted to silently issue the two HTTP requests necessary to link the attacker’s account to the victim’s device (no special permissions necessary).
Matt goes on to explain, in depth, the various ways that a hacker could implement multiple nefarious attacks using this backdoor in the Home App. Thankfully, the story has a happy ending.
The Good News
As Mr. Kunze is an ethical hacker, this vulnerability was reported to Google months ago and a patch was released well before the weakness was made public. According to the timeline, the vulnerability was reported in January of 2021 and the fix was implemented in April of the same year. Not long after that, Matt was rewarded for his efforts with a whopping $107,500 bug bounty for his work in identifying this weakness. That means that you don’t have to worry about this type of attack happening as it was derailed before it ever made it out into the wild. You can read the full, in-depth report on Matt’s new blog here.