As the mighty corporations of our planet continue to search for ways to monetize and milk the populations of earth, they are growing bold, hoping that enough of us have refused to learn the lessons of George Orwell’s 1984 to notice.
For many of the larger companies out there, this means data-harvesting, and lots of it. They need to know precisely how we act online, particularly when it comes to our spending habits, and so they’ve developed devices, marketed as enhancers of convenience, that listen in on everything that we do.
Now, one man has exposed a massive security flaw in the Google Home device, and it could have allowed hackers to listen in on your private moments.
Bleeping Computer reports that a vulnerability in Google Home smart speakers allowed the creation of a backdoor account that could be used to remotely control the device and access its microphone feed, potentially turning it into a spying tool.
The flaw was discovered by researcher Matt Kunze, who received a $107,500 reward for responsibly reporting it to Google in the previous year. Kunze published technical details and an attack scenario illustrating the exploit late last week.Trending:
During his experimentation with a Google Home Mini speaker, Kunze discovered that new accounts created using the Google Home app could remotely send commands to the device through the cloud API. In order to capture the encrypted HTTPS traffic and potentially obtain the user authorization token, the researcher used a Nmap scan to locate the port for the local HTTP API of Google Home and set up a proxy.
The unfortunate reality of the situation was that this particular exploit wasn’t all that complicated.
Kunze found that adding a new user to the target device involves two steps: obtaining the device name, certificate, and “cloud ID” from its local API. This information makes it possible to send a link request to the Google server. To add an unauthorized user to a target Google Home device, Kunze implemented the linking process in a Python script that automated the extraction of local device data and reproduced the linking request.
This is far from the first time that Google Home, (or its competitive facsimile Alexa, by Amazon), has been outed as a major security hazard for users, and it is highly doubtful that it will be the last, either.