Matt Kunze, cyber researcher and ethical hacker, managed to hack a Google Home speaker to the point of being able to record phone calls. The tech giant fixed the bug following this discovery.
This is the main fear of all owners of a voice assistant. A vulnerability in Google’s connected speaker allowed spyware to be installed to eavesdrop on users. The cyber researcher Matt Kunze, at the origin of this discovery, details his hacking in an article published on December 26 on his blog. Google rewarded the expert with a check for $107,500. The flaw had been discreetly reported by Matt Kunze to the tech giant a year ago, it has since been corrected.
As often, the discovery of this vulnerability starts with a simple test. The researcher was interested in his own mini Google Home speaker. He started by scanning the cloud programming interface to understand how adding new accounts works. He then configured a proxy — a relay between the server and the connected object — to capture the traffic and retrieve the connection token.
The ethical hacker discovered that adding a new user on the target device is a two-step process that requires device name, certificate, and cloud ID. With this information, he can then send a link request to the Google server. Once the account is linked, the attacker can start exfiltrating data or launching queries.
A gateway to hack everything
From there, the possibilities are many. The hacker can turn to all objects connected to the Google Home: switch, lock, TV. More worrying, the researcher found a way to program the activation of the microphone as soon as the command “call” is pronounced. During the call, the device light turns blue, which is the only indication that activity is taking place. If the victim notices it, they can assume that the device is updating its firmware.
Google patched all of these flaws in April 2021. The update includes a new invite-based system for managing account links, which blocks any unadded attempts on Home. As for the “call” command, the tech giant has added protection to prevent it from being triggered remotely. For the moment, only ethical hackers have taken control of connected speakers, but we are not immune to spyware when we discover these flaws.
