An error in the Google Home speakers allowed them to be controlled remotely and spied on their users' conversations

Spread the love

An error in the Google Home speakers allowed them to be controlled remotely and spied on their users' conversations

A researcher has discovered with a 'script' developed by Python an error in the Google Home speakers, that offered the possibility of installing a backdoor account for control these devices remotely and spy the users' conversations.

Python is a programming language used in much of web applications, software development, data science, and machine learning. It is free to download and can be used on all systems.

A researcher named Matt Kunze has announced that he has recently received financial compensation Thanks to Google for one of their latest finds, focused on Google Home smart speakers.

Specifically, Kunze has received 107,500 dollars (about 100,615 euros at current exchange rates) for having discovered an error in these devices that allowed the installation of an account It was a backdoor that cybercriminals could have taken advantage of to control them remotely and spy on their users' conversations.

The researcher, who used the a Python 'script' to access the system of these devices, used He used a Google Home Mini for his experiment, although he has acknowledged that this type of attack offered the same results in other models of the brand.

First of all, Kunze has insisted that at the beginning of his research he noticed “How easy it was to add new users to the device from the Google Home app,” as well. how to link an account to the device, as you can read on her blog.

With this, he has exposed the different routes by which cybercriminals can choose to access the speakers developed by Google. First, comment on the option to get the device 'firmware' by downloading it from the vendor's website. Next, performing a static analysis of the application that interacts with the device. In this case, Google Home.

Also Communications between the app and the device or between the device and the provider's servers can be intercepted using a man-in-the-middle (MitM) attack.

The researcher used the Google Home applicationand he realized Through it, it was possible to send commands remotely through the application programming interface (API) in the cloud. So, he used I ran an Nmap scan to find the device's local HTTP API port and configured the port for the device's local HTTP API. He used a proxy to capture the encrypted HTTPS traffic.

Once he obtained this data, he learned that the process of adding a new user to the target device required both the name of the user and the user name. certificate and cloud ID of the API locto the. Specifically, to add a malicious user, he implemented the following: He put that connection into a Python script, which reproduced the link request.

In this sense, Kunze describes the most likely attack scenario in case cybercriminals had This backdoor was exploited. First, it indicates that when attackers seek to spy on their victims within the proximity of Google Home, they gain access to their unique identifiers, or MACs.

The attacker then sends deauthorization packets to disconnect the device from the WiFi network and display Configuration mode. Then, it connects to this other configuration and requests the device information (name, certificate and cloud ID).

After connecting to the internet and using the data user's account, links their account to the victim's device. From then on, you can spy on the victim without having to be near the device, but only through Google Home or the Internet.

The researcher has published three proofs of concept (PoC) on GitHub for these actions, although he has stressed that these should not work on Google Home devices running the latest version of its 'firmware'.

It should be mentioned that Kunze discovered the I discovered this security breach in January 2021 and reported the security breach. He informed the company of this problem in March 2021. Just a month later, in April, Google had already fixed this problem with a security patch.

However, As reported in Bleeping Computer, Google Home was launched on the same day. It was released in 2016 and scheduled routines for its smart speakers just two years later, so attackers could have exploited this vulnerability for years.