According to recent reports, some of the Google Home speaker units could have been hijacked by a third party.
This hijack allowed the third party to control the device remotely and even listen to the user’s private conversation.
And it is a significant security concern for Google. A cybersecurity researcher, Matt Kunze, discovered the bug in smart devices.
And being a good samaritan, he reported it to Google. Google gave Matt Kunze $107,500 in bounty rewards for this responsible act.
Nonetheless, Kunze was investigating his own personal Google Home speaker. He wanted to find out the possible issues that might be in his Home mini speaker.
In a blog post, he explained how he eventually managed to add another Google account to the device. Afterward, the breached Google account could be used to take full control of the mic.
In other words, he was able to go through the security measures of the Google Home speaker and eavesdrop on the conversation around the device.
However, the process is not as easy as you might have thought. To get through the security system, the attacker must be within the wireless proximity of the Google Home speaker.
They would also need to listen to MAC addresses with prefixes associated with Google. Then, the attacker could send deauth packets, disconnecting the package from the network and enabling it to get into setup mode.
The attacker can request device info when the Google Home speaker is in setup mode. This info can be used to link the attacker’s account to the device.
What happens when the attacker links their account to the Google Home speaker? They will be able to take control of the device even when they are not within wireless proximity.
In other words, the attacker can spy on you remotely and over the internet. The risk here is not just about eavesdropping on conversations.
The researcher has also found a way to “call phone number” command, which will make the speaker call the attacker at a particular time and give a live audio feed.
That said, this Google Home speaker bug was discovered in early 2021. And it has already been patched by Google by April 2022. The fix took security to the next level.
It blocks any accounts that are not added on Home. However, to ensure there is no risk, Google advised Home users to update their device’s firmware to the latest version. So, make sure that your speaker is updated!
Slava is a man of mystery and no-one seems to know exactly where he is at any point in time. When he isn't enjoying writing about all things audio and technical he can be found researching his next project of interest. The man never rests.