iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Matt Kunze, an independent security researcher, has revealed a serious security flaw in Google’s Home series of smart speakers.
By using a known vulnerability within Chromecast — which is basically the architecture that Google Home speakers are built around — Kunze was able to construct proof of concept attacks that allowed him to spy on a potential victim, make HTTP requests, and read/write files on any device linked to the speaker.
Google was informed about the vulnerabilities in August of 2021, and once the company had verified the problems — and reportedly fixed them — he was rewarded with a US$107,500 bug bounty in early 2022.
Kunze has only just published his work, and it makes for fascinating reading.
Kunze began by seeing how far he could get by linking an external account and then using the speaker’s built-in routines, which allow owners to set up interactions whereby multiple devices can be used with one command, or at a set time. In theory it could give a lot of control to an outside user, so he dug deeper.
Settling on using a man-in-the-middle attack, Kunze was able to use a rooted Android device and a range of specialist hacking tools to eventually intercept all traffic between the Google Home app, the Google Home speaker, and between the app and Google’s own servers.
With what Kunze found in the traffic, he was able to use a Python script to automate the process and do away with the need to use the Home app at all.
This let Kunze execute remote voice commands, which in turn gave him access to not only the smart speaker, but everything it was linked to, such as smart switches, smart locks, and even garage doors.
“I wanted to go further though and come up with an attack that would work on all Google Home devices,” Kunze explains in his blog post, “regardless of how many other smart devices that the user has. I was trying to come up with a way to use a voice command to activate the microphone and exfiltrate the data.”
With the “call [phone number]” command, he was able to do just that. Kunze then used what he’d learned to construct his three proofs of concept, which won him the big bounty.
Following the revelations, Google subsequently announced that it would now pay more to researchers for any bug reports found to contain real vulnerabilities.
“We are now looking to deepen this relationship and accelerate the path toward building more secure devices,” said Medha Jain, program manager, devices and services security, on Google’s security blog.
“If the Google Home architecture had been built from scratch,” Kunze concludes, “I imagine that these issues would have never existed.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
