Security researcher Matt Kunze revealed a serious vulnerability in Google smart home speakers that could’ve enabled threat actors to gain remote access over the devices.
Kunze was experimenting with his own Google Home speaker in early 2021 when he found a hacker could install a ‘backdoor’ account on the device over the web. He detailed the security flaw at length on his blog, indicating someone could send commands to the speaker remotely, access its microphone, scrape Wi-Fi passwords, and access other devices on the network.
He said the hacker would have to trick the target or victim into installing a malicious Android app, which allowed the attacker’s account to connect with the smart speaker. Once the hacker was in, the microphone in the Google Home speaker would be easily accessible to snoop on conversations.
The victim would be clueless about the hack. Kunze said, “the only thing they might notice is that the device’s LEDs turn solid blue, but they’d probably just assume it’s updating the firmware or something.”
He reported the security flaw to Google in early 2021, and a patch was provided to all devices in April of the same year. The tech giant rewarded him with more than $100,000 for his efforts.
“I was recently rewarded a total of $107,500 by Google for responsibly disclosing security issues in the Google Home smart speaker that allowed an attacker within wireless proximity to install a “backdoor” account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim’s LAN (which could potentially expose the Wi-Fi password or provide the attacker direct access to the victim’s other devices). These issues have since been fixed,” he wrote on his blog.
“It’s worth noting that Google Home was released in 2016, scheduled routines were added in 2018, and the Local Home SDK was introduced in 2020, so an attacker finding the issue before April 2021 would have had plenty of time to take advantage,” Tech blog Bleeping Computer pointed out.