Some Google Home smart speakers could have been hijacked to control the device remotely, and even listen in on people’s private (opens in new tab) conversations, a security expert has claimed.
The bug was discovered by cybersecurity researcher Matt Kunze, who received $107,500 in bounty rewards for responsibly reporting it to Google.
Kunze, who was investigating his own personal Google Home mini speaker for possible issues, explained in a blog post (opens in new tab) how he found a way to add another Google account to the device, which would be enough to be able to eavesdrop on people.
Adding rogue accounts
First, the attacker needs to be within wireless proximity of the device, and listen to MAC addresses with prefixes associated with Google.
After that, they can send deauth packets, to disconnect the device from the network and trigger the setup mode. In the setup mode, they request device info, and use that information to link their account to the device and – voila! – they can now spy on the device owners over the internet, and can move away from the WiFi.
But the risk is bigger than “just” listening to people’s conversations. Many smart home speaker users connect their devices with various other smart devices, such as door locks and smart switches. Furthermore, the researcher found a way to abuse the “call phone number” command, and have the device call the attacker at a specified time and feed live audio.
The bug was discovered in early 2021 and patched up by April 2022, with Google addressing the issue by creating a new invite-based system for account linking, blocking any accounts not added on Home.
That being said, to make sure there is no risk, Google Home users are advised to update the endpoint’s firmware to the latest version as soon as possible.
Via: BleepingComputer (opens in new tab)