A security researcher was awarded a $107,500 bug bounty for identifying a security issue in Google Home smart speakers that could be exploited to install a backdoor and turn it into an eavesdropping device.
This vulnerability allows an “attacker to install a “backdoor” account on a device in close proximity to the radio, send commands remotely over the Internet, access microphone feeds, and send arbitrary HTTP messages within the victim’s LAN. We were able to create a request,” said the researcher. , who goes by the name Matt, revealed in a technical article published this week.
Making such a malicious request not only exposes the Wi-Fi password, but also gives the attacker direct access to other devices connected to the same network. The issue was fixed by Google in April 2021, following a responsible disclosure on January 8, 2021.
In a nutshell, the issue has to do with how Google Home software architecture is leveraged to add rogue Google user accounts to targeted home automation devices.
The attack chain detailed by the researchers allows an attacker who wishes to eavesdrop on a victim to trick the individual into installing a malicious Android app. When the app detects her Google Home device on the network, it issues a stealthy HTTP request to link the attacker’s account. to the victim’s device.
Going one step further, it was also revealed that a Wi-Fi deauthentication attack could be used to force a Google Home device to disconnect from the network, putting the appliance into “setup mode” and creating its own open Wi-Fi. rice field. phi network.
An attacker can then connect to the device’s setup network, request details such as the device name, cloud_device_id, and certificates, and use them to link an account to the device.
Regardless of the attack sequence employed, once the linking process is successful, the adversary utilizes the Google Home routine to reduce the volume to zero, dial a specific phone number at any point in time, and reach out to the victim through the device’s microphone. can spy on
“The only thing the victim will notice is that the LED on the device will turn blue, but they will probably think they are updating the firmware or something,” said Matt. “During a call, the LED doesn’t flash like it normally does when the device is listening, so there’s no indication that the mic is open.”
Additionally, the attack could make arbitrary HTTP requests within the victim’s network to read files or introduce malicious changes to linked devices that would be applied after a reboot.
This isn’t the first time such attack methods have been devised to covertly snoop on potential targets via voice-activated devices.
In November 2019, a group of academics released a technology called Light Commands. This is a vulnerability in her MEMS microphone that allows attackers to remotely inject inaudible and invisible commands into popular voice assistants such as Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri. refers to gender. with light.
