Some Google Home smart speakers may have been hijacked to control the device remotely and even eavesdrop on private conversations (opens in a new tab) calls, says a security expert.
The bug was discovered by cybersecurity researcher Matt Kunze, who received a $107,500 reward for responsibly reporting it to Google.
Kunze, who has been researching his personal Google Home mini speaker for possible issues, explained wa blog post (opens in a new tab) how he found a way to add another Google account to the device, which would be enough to eavesdrop on people.
Adding fraudulent accounts
First, the attacker must be within a wireless range of the device and listen to MAC addresses with prefixes associated with Google.
They can then send deauth packets to disconnect the device from the network and enter configuration mode. In setup mode, they request information about the device and use that information to link their account to the device and – voila! – can now spy on device owners over the internet and can move away from Wi-Fi.
But the risk is greater than “just” listening to people talk. Many smart home speaker users pair their devices with various other smart devices, such as door locks and smart switches. Moreover, the researcher found a way to abuse the “call a phone number” command and make the device call the attacker at a certain time and transmit the audio live.
The bug was discovered in early 2021 and fixed by April 2022, and Google has resolved the issue by creating a new invite-based account linking system that blocks any accounts not added to the home page.
That being said, to ensure there are no risks, Google Home users are advised to update their endpoint firmware to the latest version as soon as possible.
Through: Beeping Computer (opens in a new tab)