Safety researcher Matt Kunze uncovered a serious vulnerability in Google intelligent home speakers that could’ve enabled threat actors to get remote access over the devices.
Kunze was experimenting with his own Search engines Home speaker in early 2021 when he found a hacker could install a ‘ backdoor’ account on the device over the web. He comprehensive the security flaw at length on his blog , indicating someone could send commands to the loudspeaker remotely, access its microphone, scrape Wi-Fi passwords, plus access other devices in the network.
He stated the hacker would have to technique the target or victim directly into installing a malicious Google android app, which allowed the particular attacker’s account to connect using the smart speaker. Once the hacker was in, the microphone within the Google Home speaker would be easily accessible to snoop upon conversations.
The target would be clueless about the crack. Kunze said, “ the one thing they might notice is that the device’s LEDs turn solid azure, but they’d probably just assume it’s updating the particular firmware or something. ”
This individual reported the security flaw to Google in early 2021, along with a patch was provided to any or all devices in April from the same year. The technology giant rewarded him with more than $100, 000 for their efforts.
“ I was recently rewarded a total of $107, 500 by Google for responsibly disclosing protection issues in the Google House smart speaker that permitted an attacker within wireless proximity to install a “ backdoor” account on the gadget, enabling them to send instructions to it remotely over the internet, access its microphone feed, plus make arbitrary HTTP demands within the victim’s LAN (which could potentially expose the Wi fi password or provide the attacker direct access to the victim’s various other devices). These issues have since been fixed, ” he wrote on his blog.
“ It’s worth noting that Google Home was released in 2016, scheduled programs were added in 2018, and the Local Home SDK was introduced in 2020, so an attacker finding the issue before April 2021 would have had plenty of time to take advantage, ” Tech blog Bleeping Computer pointed out.