A bug in Google Home speakers allowed them to be controlled remotely and spy on their users’ conversations

Discover the researcher A “script” developed by Python that is a bug in Google Home speakers, Which offered the possibility to install a file Backdoor account To control these devices remotely and to spy User conversations.

Python is a programming language used in a large part of web applications. Software development, data science, and machine learning. It is free to download and can be used on all platforms.

Researcher named Matt Koons Announced that she recently received Monetary compensation from Google for one of its latest findings, centered on Google Home smart speakers.

Specifically, Kunze received $107,500 (about 100,615 euros at current exchange rates) for your discovery of a on these devices That allowed the installation of a backdoor account that cybercriminals could use to remotely control and spy on their users’ conversations.

researcher who Use a python “script” to access the system of these devicesused a Google Home Mini in his experiment, although he acknowledged that this type of attack delivered the same results in other models of the brand.

First of all, Koons insisted that he had noticed at the beginning of his investigation “how easy it was to add new users to the device from the Google Home app,” as well as link an account to the device, as can be read on his blog.

With this, he revealed the various ways through which cyber criminals To access the speakers developed by Google. First of all, comment on an option Get the “firmware” for the device by downloading it from the provider’s website. a Then perform a static analysis of the application that interacts with the device. In this case, Google Home.

Also Communications between the app and the device, or between them, can be intercepted and provider servers using a man-in-the-middle (MitM) attack.

Use the finder app Google House Realize that commands can be sent remotely through an API in the cloud. So, use Nmap scan to find the device’s local HTTP port and configure a proxy to capture encrypted HTTPS traffic.

Once this data is obtained, I learned that the process of adding a new user to the target machine requires both a username, an API Cloud ID, and a certificateto me. Specifically, to add a malicious user, I implemented this connection in a Python script, which reproduced the bind request.

In this sense, Kunze describes the most likely attack scenario in a situation Cybercriminals could have taken advantage of this backdoor. First, it indicates that when attackers seek to spy on their victims in close proximity to a Google Home, they gain access to their unique identifiers, or MACs.

The attacker then sends deauthorization packets to disconnect the device from the WiFi network and display the configuration mode. Then it connects to this other configuration and asks for device information (name, certificate, and cloud identifier).

After connecting to the Internet and making use of the user’s data, it links its account to the victim’s device. From now on, you can spy on the victim without having to be near the device, but only through Google Home or the Internet.

The researcher posted three proofs of concept (PoC) on GitHub for these procedures, though he stressed that they should not work on Google Home devices running the latest version of their ‘firmware’.

Related news

It should be noted that Kunzie found out Security breach in January 2021 And I reported this issue to the company in March 2021. Just a month later, in April, Google actually fixed this issue with a security patch.

However, as advanced in Bleeping Computer, Google Home was launched in 2016 And the routine routine of its smart speakers is only two years away, so attackers could have exploited this vulnerability for years.