The Internet of Things (IoT) also has its share of vulnerabilities. In an article titled “Turning Google’s Smart Speakers Into Listening Devices for $100,000,” Matt Kunze, a cybersecurity researcher, demonstrates how he managed to infiltrate a Google Home smart speaker to turn it into a real spy device. A demonstration conveyed by our colleagues from Bleeping Computer.
Utilization of the device API
After discovering the vulnerability in the firmware of his Google Home Mini, Matt Kunze reported the bug to Google. A good deed rewarded with bug bounty for the modest sum of $107,500 by the American giant. Discovered in early 2021, the bug has since been fixed by the developers.
The vulnerability discovered by Matt made it possible to link a third-party Google account to a Home Mini speaker and take full advantage of the device’s features. To carry out the attack, the researcher disconnected Google Home from the host’s wifi using a deauthentication attack (a denial of service attack within wifi). After the device is disconnected from the network, it will then go into configuration mode and create a wireless wifi network itself without a password.
The researcher then takes the opportunity to retrieve the device information (name, certificate, cloud ID) using the internal API (web server) of Google Home. Once the credentials are retrieved, along with the name, cloud ID, and certificate, the researcher can link their Google account to the smart speaker.
Listening to Google Home remotely
By linking their Google account to the device, the researcher is able to exploit a number of malicious actions. In particular, he can manage smart contacts, make online purchases (if the service is configured) or… spy on conversations. In order to listen to the sound stream from the speaker’s microphone, the researcher found a way to rewire the Google Home call function (via a Google Home routine) to listen in real time to the sounds near the device. . The only indicator of this malicious interception: the device’s LED lights up blue. A detail that many potential victims could not have identified.
In his demonstration, Matt Kunze reveals many other malicious possibilities that this vulnerability offers. It would also be possible to apply permanent changes to the system after a restart of the latter. The researcher has made some of the Python scripts used in this attack available on GitHub for educational purposes.
The researcher discovered weaknesses in the Google Home Mini’s system in January 2021 and immediately forwarded the information to Google. “I tested everything on a Google Home Mini, but I assume these attacks worked similarly on Google’s other smart speaker models”, the researcher specifies on his website. A patch was quickly deployed in April of that year. At this time, the system will no longer allow adding a Google account using this technique, and the calling function of the device has been secured.