Posted on January 2, 2023 at 9:50 PM
Hackers have been devising new ways of infiltrating user devices. Any device connected to the internet is at risk of being infiltrated by hackers, and Google Home speakers are not an exception. Researchers have found that hackers can gain unauthorized access to these devices.
Hackers could spy on users using Google Home speakers
Mark Kunze, a cybersecurity researcher, identified the threat lying on Google Home speakers. The researcher detected that these speakers could carry a bug that hackers could exploit.
The discovery that was made by this researcher saw him receiving $107,500 from Google as a reward for detecting the vulnerability and allowing the tech giant to have a chance to solve the problem before threat actors could cause significant harm. Tech giants usually offer incentives to researchers and white hats who detect vulnerabilities before exploiting them.
A technical summary provided by Kunze regarding the exploit noted that an attacker could install a “backdoor account” on their Google home speaker as long as the hacker was within the device’s wireless range.
Kunze did his research on this bug using his own Google Home speaker. He noted that if a backdoor account was installed, it could be used to control the user’s device by sending remote commands to the device. This meant that the user’s device could be used for spying by obtaining access to the microphone feed.
A spy actor could also access the Wi-Fi password of the victim and gain unauthorized access to the other devices running on the same network. The attacker could also use the victim’s device to call a phone number and change the device’s volume.
Kunze further found that when the Nmap scan was used, the port for the local HTTP API of Google home could be accessed. This allowed the threat actor to create a proxy account that was used to create a proxy that could be used to access any encrypted HTTPS traffic with the expectation of the authorization token being accessed by the attacker.
Kunze also noted that the only option the victim had to be alerted about this exploit was the appearance of a blue LED light on the device. This light turned to solid blue when the speaker was on a call. However, if the targeted individual was not aware of this feature, they possibly thought that the device was updating or it was performing another major task.
One of the best things about Kunze’s research is that no threat actor had used the exploit on the Google Home speaker. The detailed research noted that while the threat of a hacker exploiting this vulnerability was high, hackers were yet to compromise devices using the exploit. Therefore, Google will be patching the exploit before any damage is done.
The timeline for this research shows that the vulnerability was detected in January 2021. A fix for the bug was later implemented in April of the same year. Shortly after the bug was identified and fixed, Kunze received a $107,500 bug bounty reward for his work.
Accessing phones and user devices
Kunze also focused on another breach that the hackers could do after they accessed the Home App. The attackers could access user phone calls and snoop on conversations. The hackers could also create a routine linked to the user’s device.
The researcher created a routine that was associated with a specific device. By doing this, Matt triggered the Google Home Mini to call his phone at a specific time, depending on the routine. This was frightening to users because the hacker could snoop on personal matters.
The hack allowed the attacker to access the microphone of the device. Kunze also described a potential scenario where the attacker could use a Google smart speaker to spy on the household. This allowed the attacker to obtain access and listen from the speaker at any given time. However, Kunze noted that this hack would allow the hacker to access the Wi-Fi credentials of the victim to obtain access to the device.
There are notable effects that could be realized if the attacker could compromise users’ devices, as they could use voice commands to activate the microphone on any device. This device could then be used to handle any tasks that Google speaker could handle as it was related to the other connected devices within the home.