What you need to know
- Researcher Matt Kunze found that hackers could have spied on people in their homes via Google’s smart speakers.
- Once access is obtained, the “rogue” account can intercept conversations, control devices, and make online purchases.
- This issue was reported in January 2021 and Google fixed the issue by April of the same year.
A serious issue within the Google Home speaker could allow your ears to invade your home without your knowledge.
Researcher Matt Kunze discovered the issue after experimenting with the Nest Mini in January 2021 (via Bleeping Computer). It turns out that new “rogue” accounts can be added via the Home app, allowing hackers to remotely control devices via cloud APIs.
Kunze found that to do this, hackers would need to obtain the device’s name, certificate, and “cloud ID” from a local API. With all this in hand, the hacker can send a link request to your device through his Google’s servers. After compromising a device as if it were a malicious user, Kunze unraveled multiple scenarios that could occur if a hacker did this to an unprotected home device.
Scenarios Kunze discovered include the ability for hackers to horribly spy on people, but also make HTTP requests over the network and read and write files on the device.
If this wasn’t enough, a hacker could remotely activate the call command on your smart speaker, allowing the device to call your phone at any time and intercept conversations taking place in your home. In Kunze’s demo video, his four lights on the Nest Mini glow blue to indicate he’s on a call. However, someone just walking around the house might not pay attention to this or attribute it to a call in a certain place.
In addition, hackers can also control smart home switches, conduct online transactions, unlock the doors of your home or car, and leverage PINs used for smart locks.
In his breakdown of how he discovered this frustrating vulnerability, Kunze said this is not possible if you’re running the latest firmware. This is because in 2021, when he reported it to Google, the company patched the issue in April of the same year. Researchers also received $107,500 in rewards for finding and reporting critical flaws.
Researchers say Google’s fix requires an invitation to “Home” where the device is registered in order to link the device to an account. Also, Google has disabled the ability to remotely invoke commands via routines. For an extra layer of security, Google smart home devices with displays, such as the Nest Hub Max, are protected with a WPA2 password shown in his QR code on the display.
