A security researcher was recently awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could have been exploited to turn them into wiretapping devices. The researcher discovered that the vulnerabilities allowed an attacker within wireless proximity to install a “backdoor” account on the device, enabling them to remotely send commands. The commands include access into the microphone feed, as well as arbitrary HTTP requests within the victim’s local area network (LAN). This could potentially expose the victim’s Wi-Fi password and give the attacker direct access to other devices connected to the same network. The researcher, Matt Kunze, recently unveiled this process in a lengthy blog post.
Kunze detailed an attack chain in which a threat actor could trick a victim into installing a malicious Android app. Once installed, the app would detect a Google Home device on the network and issue stealthy HTTP requests to link the attacker’s account to the victim’s device. The attacker could then use Google Home routines to turn down the volume to zero and call a specific phone number at any given time, using the device’s microphone to spy on the victim. The victim may not even realize that their device has been compromised, as the LEDs on the device may simply appear solid blue, which the victim may assume is due to a firmware update.
In addition to this method, Kunze also found that an attacker could stage a Wi-Fi de-authentication attack to force a Google Home device to disconnect from the network and enter a “setup mode,” creating its own open Wi-Fi network. The attacker could then connect to the device’s setup network and request details such as the device name, cloud_device_id, and certificate, which could be used to link their account to the device. Once linked, the attacker could make arbitrary HTTP requests within the victim’s network and even introduce malicious modifications on the linked device, which would be applied after a reboot.
Fortunately, Google was able to quickly remediate these issues after Kunze responsibly disclosed them on January 8, 2021. The company implemented patches including an invite-based mechanism for linking a Google account using the API and disabling the remote initiation of call commands through routines. This is not the first time that voice-activated devices have been targeted for covert snooping, as similar techniques have been developed in the past to inject inaudible and invisible commands into popular assistants such as Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light. It is important for companies and individuals to stay vigilant and take the necessary steps to secure their devices and protect their sensitive data.