A security researcher was awarded a $107,500 bug bounty for identifying a security issue in Google Home smart speakers that could be exploited to install a backdoor and turn it into a wiretapping device.
This vulnerability allows an “attacker to install a “backdoor” account on a device in close proximity to the radio and remotely send commands over the Internet, access the microphone feed, and perform arbitrary actions within the victim’s LAN. ,” said the researchers. , goes by the name Matt. disclosed In a technical article published this week.
Making such a malicious request not only exposes the Wi-Fi password, but also gives the attacker direct access to other devices connected to the same network. The issue was fixed by Google in April 2021, following a responsible disclosure on January 8, 2021.
In a nutshell, the issue has to do with how Google Home software architecture is leveraged to add rogue Google user accounts to targeted home automation devices.
The attack chain detailed by the researchers allows an attacker who wishes to eavesdrop on a victim to trick the individual into installing a malicious Android app. When the app detects her Google Home device on the network, it issues a stealth HTTP request to link the attacker’s account. to the victim’s device.
Taking things up a notch, Wi-Fi deauthentication attack Force Google Home device disconnect from networkyou can put the appliance into “setup mode” and create your own open Wi-Fi network.
The attacker then connects to the device’s setup network and Request details Like the device name, cloud_device_id, and certificate, they are used to link your account to your device.

Regardless of the attack sequence employed, a successful linking process will enable the adversary to take advantage of the attack. Google Home routine turn the volume down to zero call a specific phone number Spy on the victim through the device’s microphone at any point in time.

“The only thing the victim will notice is that the LED on the device will turn blue, but they will probably think they are updating the firmware or something,” said Matt. “During a call, the LED doesn’t flash like it normally does when the device is listening, so there’s no indication that the mic is open.”
Additionally, the attack can be extended to make arbitrary HTTP requests within the victim’s network, read files, and even introduce malicious changes to linked devices that are applied after a reboot. increase.
This isn’t the first time such attack methods have been devised to covertly snoop on potential targets via voice-activated devices.
In November 2019, a group of academics released a technology called Light Commands. This is because of her MEMS microphone, which allows an attacker to remotely inject inaudible or invisible commands into popular voice assistants such as her Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri. mentions vulnerabilities. with light.