The Google Home smart speaker could be remotely controlled and turned into an eavesdropping device by installing a backdoor account with access to the microphone feed. Last year, a researcher found the problem and was awarded $107,500 for appropriately alerting Google about it. Earlier this week, the researcher shared technical information on the discovery and an attack scenario to demonstrate how the issue may be exploited.
The researcher found that new accounts created using the Google Home app may remotely control it via the cloud API while exploring with his own Google Home tiny speaker. The researcher discovered the port for Google Home’s local HTTP API using a Nmap scan, so he used a proxy to collect the data over HTTPS to intercept the user authorization token.
The researcher noticed that adding a new user to the target device involves two steps and calls for the local API’s “cloud ID,” “cloud certificate,” and device name. They might submit a link request to the Google server using this information. The analyst automated the exfiltration of the local device data and replicated the linking request by implementing the link procedure in a Python script to add a malicious user to a target Google Home device.
The researcher’s blog provides the following summary of the attack:
- The attacker wishes to spy on the victim within wireless proximity of the Google Home (but does NOT have the victim’s Wi-Fi password).
- The attacker discovers the victim’s Google Home by listening for MAC addresses with prefixes associated with Google Inc. (e.g. E4:F0:42).
- The attacker sends deauth packets to disconnect the device from its network and make it enter setup mode.
- The attacker connects to the device’s setup network and requests its device info (name, cert, cloud ID).
- The attacker connects to the internet and uses the obtained device info to link their account to the victim’s device.
- The attacker can now spy on the victim through their Google Home over the internet (no need to be close to the device anymore).
Three proofs of concepts (PoCs) for the above activities were posted by the researcher on GitHub. However, the most recent firmware upgrade should prevent them from functioning on Google Home devices. The PoCs go beyond creating a rogue user by allowing microphone eavesdropping, arbitrary HTTP requests on the victim’s network, and arbitrary file reading/writing on the target device.
The Google Home speaker may perform operations like activating smart switches, making online purchases, remotely unlocking doors and automobiles, or covertly brute-forcing the user’s PIN for smart locks when a rogue account is connected to the target device. What’s more concerning is that the researcher discovered a way to misuse the “call [phone number]” command by incorporating it into a malicious code that activated the microphone at a predetermined time, called the attacker’s number, and sent live microphone feed.
The only sign of anything happening during the conversation is when the device’s LED turns blue. The victim could believe the gadget is upgrading its firmware if they detect it. The typical LED that pulses when the microphone is active does not do so when a call is in progress. Finally, it can also play media, rename, reboot, erase any saved Wi-Fi networks, force new Bluetooth or Wi-Fi pairings, and perform other operations on the hacked smart speaker.
The analyst identified the flaws in January 2021 and submitted further information and proofs of concepts in March 2021. Google completed all issues in April 2021. The update adds a brand-new invite-based method to manage account connections that prevents any tries not already placed on Home. Although it is still possible to deauthenticate Google Home, this cannot be used to establish a new account, making it impossible to use the local API that exposed the basic device information.
Google has introduced a safeguard to the “call [phone number]” command to stop its remote initiation through routines. The Local Home SDK was launched in 2020, scheduled practices were added in 2018, and Google Home was deployed in 2016. Therefore, an attacker who discovered the flaw before April 2021 would have had plenty of time to exploit it.