The Internet of Things (IoT) also has its share of vulnerabilities. In an article titled “Turning Google’s Smart Speakers Into Listening Devices for $100,000,” Matt Kunze, a cybersecurity researcher, demonstrates how he managed to infiltrate a Google Home smart speaker in order to turn it into a real spy device. A demonstration relayed by our colleagues from BleepingComputer.
Exploiting the device API
After discovering the vulnerability in the firmware of his Google Home Mini, Matt Kunze reported the flaw to Google. A good deed rewarded with bug bounty for the modest sum of 107,500 dollars by the American giant. Discovered at the beginning of 2021, the bug has since been fixed by the developers.
The vulnerability discovered by Matt allowed to associate a third-party Google account with a Home Mini speaker and to fully exploit the functions of the device. To carry out the attack, the researcher disconnected the Google Home from its host’s wifi using a deauthentication attack (a denial of service attack within wifi). Once disconnected from the network, the device then goes into configuration mode and creates a wireless wifi network itself, without a password.
The researcher then takes the opportunity to retrieve the device information (name, certificate, cloud ID) through the use of the internal API (web server) of Google Home. Once the credentials are retrieved, along with the name, cloud ID, and certificate, the researcher can link their Google account to the smart speaker.
Listening to Google Home remotely
By linking their Google account to the device, the researcher is then able to exploit a slew of malicious actions. He can notably control smart switches, make online purchases (if the service is configured) or… spy on conversations. To manage to listen to the audio stream from the speaker’s microphone, the researcher found a way to divert the Google Home call function (via a Google Home routine) in order to listen in real time to the sounds near the device. . The only indicator of this malicious eavesdropping: the device’s LED lights up blue. A detail that many potential victims could not have identified.
In his demonstration, Matt Kunze reveals many other malicious possibilities offered by this vulnerability. It would also be possible to apply lasting modifications within the system, after a restart of the latter. The researcher has made available on GitHub, for educational purposes, some of the Python scripts used in this attack.
The researcher discovered weaknesses in Google Home Mini’s system in January 2021 and forwarded the information to Google immediately. “I tested everything on a Google Home Mini, but I assume these attacks worked similarly on Google’s other smart speaker models”, specifies the researcher on his site. A patch was deployed quickly, in April of the same year. At present, the system would no longer allow adding a Google account by this technique, and the call function of the device has been secured.