An error in the Google Home speakers allowed them to be controlled remotely and spied on their users’ conversations

Dec. 30 (Portaltic/EP) –

A researcher has discovered with a ‘script’ developed by Python an error in the Google Home speakers, which offered the possibility ofand install a backdoor account to control these devices remotely and spy on user conversations.

python It is a programming language used in a large part of web applications, software development, data science and machine learning. It is free to download and can be used on all systems.

A researcher named Matt Kunze has announced that he recently received financial compensation from Google for one of his latest findings, centered on Google Home smart speakers.

Specifically, Kunze has been rewarded with $107,500 (about 100,615 euros at the current exchange rate) for having discovered an error in these devices that allowed the installation of a backdoor account and that cybercriminals could have taken advantage of to control them remotely and spy on their users’ conversations.

The researcher, who used a Python ‘script’ to access the system of these devices, used a Google Home Mini for his experiment, although he has acknowledged that this type of attack offered the same results in other models of the brand.

First of all, Kunze has insisted that at the beginning of his investigation noticed “how easy it was to add new users to the device from the Google Home application”, as well as linking an account to the device, as can be read in your blog.

With this, he has exposed the different routes that cybercriminals can choose to access the speakers developed by Google. First, Comment the option to get the ‘firmware’ of the device by downloading it from the provider’s website. Next, performing a static analysis of the application that interacts with the device. In this case, Google Home.

Communications between the app and the device or between them and the provider’s servers can also be intercepted through a man-in-the-middle (MitM) attack.

The researcher used the Google Home application and realized that through it they could send commands remotely through the application programming interface (API) in the cloud. So, it used an Nmap scan to find the device’s local HTTP API port and configured a proxy to capture the encrypted HTTPS traffic.

Having obtained this data, he learned that the process of adding a new user to the target device required both the user’s name and the local API cloud ID and certificate. Specifically, for add a malicious user you implemented that connection in a python script, which reproduced the bind request.

In this sense, Kunze describes the most likely attack scenario in the event that cybercriminals had taken advantage of said back door. He first indicates that, when attackers seek to spy on their victims within the proximity of Google Home, manages to access their unique identifiers or MAC.

The attacker then sends deauthorization packets to disconnect the device from the network. Wi-Fi network and display the mode Setting. It then connects to this other configuration and requests the device information (name, certificate, and cloud ID).

After connecting to the internet and making use of the user’s data, it links their account to the victim’s device. From then on, you can spy on the victim without having to be near the device, but only through Google Home or the Internet.

The researcher has posted three proofs of concept (PoCs) on GitHub for these actions, though he has stressed that these should not work on Google Home devices. running the latest version of their ‘firmware’.

It is worth mentioning that Kunze discovered this security flaw in January 2021 and informed the company of this problem. in March 2021. Just a month later, in April, Google had already fixed this problem with a security patch.

However, as stated in Bleeping Computer, Google Home launched in 2016 and scheduled routines for its smart speakers just two years later, so attackers would have been able to exploit this vulnerability for years.