Snooping On Google Home Speakers - ThreatWire
Added 2023-01-13 16:59:46 +0000 UTCA researcher found an issue in the Google Home branded smarthome speakers that could allow an attacker to listen to audio from the mic. Specifically, a third party could add a new account to the Google Home and send commands to it via a cloud API.
Researcher Matt Kunze found the issue on his own Google Home mini speaker. He used an Nmap scan to find the local HTTP API port for Google Home, then he set up a proxy to capture HTTPS traffic. Kunze found that the device’s name, certificate and Cloud ID were required in order to create new users. This info would allow him to send a link request to the google server, so he created a Python script to automate the process of grabbing the local device data and recreating the steps to get the link request.
If an attacker wasn’t on the same Wifi connection as the Google home they wanted to attack, they could listen to local wifi packets to look for a client matching Google’s MAC address, which always starts with the same prefix, target the client and send deauth packets to it to disconnect it from it’s local wifi connection, make it enter setup mode then connect and request it’s local info (that being the name, certificate and cloud ID). Then, the attacker could use this device to link their own account, and spy on the victim remotely.
Kunze’s blog explains the technical details and he also published three proof of concepts on github. If a rogue account is added to a google home speaker, not only could it listen to the mics, but it could also be used to control any connected smarthome tech like cameras, switches, brute forcing pins used to lock doors, and more. An attacker could also set up a routine to call them and enable the speaker.
The researcher notified google in January 2021, and everything was patched by Google in April 2021. The update blocks new accounts via a new invite based feature, and if a Google Home is deauthed from a local wifi network, this no longer allows for new accounts to be added. Google added prevention techniques to stop remote call initiations.
Kunze was awarded over $100k for finding this vulnerability and responsibly disclosing it to Google. If you own a Google Home, make sure it’s running the newest firmware as these updates have been fully patched.
Comments
I’ll ask Shannon, but yeah it seems to be because of the award
Daily Tech News Show
2023-01-13 20:11:40 +0000 UTCI fail to understand why this is suddenly a story. This was found two years ago and patched pretty quickly. Is it just because his award was announced?
Russell Milliner
2023-01-13 20:02:56 +0000 UTC
