Security Loophole in Google Home Speakers Let Hackers Snoop on Private Conversations

Security Loophole in Google Home Speakers Let Hackers Snoop on Private Conversations
Google Vice President Mario Queiroz introducing the new Google Home device during the keynote address of the Google I/O conference in Mountain View, Calif., on May 18, 2016. (AP Photo/Eric Risberg, File)
Bryan Jung
1/3/2023
Updated:
1/3/2023
0:00

It was recently revealed that a security loophole within Google Home speakers allowed hackers to snoop on conversations.

A bug allowed hackers to install a backdoor account on a Google Home smart speaker device and use it via remote control to eavesdrop on unsuspecting owners by accessing its microphone feed, reported Bleeping Computer.
Security researcher Matt Kunze was recently rewarded a total of $107,500 by Google for discovering the security issue in January 2021, while experimenting with his own Google Home mini-speaker.

Kunze notified Google in March 2021 and later published the technical details about his findings, along with a potential attack scenario, which explained how the flaw could be exploited by an outside actor.

He discovered a flaw that allowed commands to remotely through the application programming interface (cloud API) after setting up a new account using the Google Home app.

Google Home, a series of smart speakers, was released in 2016 to much fanfare and enabled users to verbally issue voice commands to interact with services through Google Assistant.

Serious Loophole Allowed Hackers to Access Smart Appliances and Speakers

Kunze noted that if a hacker got within wireless proximity of a speaker device, even without access to the Wi-Fi network that it was connected to, they could discover a user’s Google Home system.

After a user account is created, an actor could then access the user’s setup mode, install a different Google account, and then re-connect it to that unsuspecting person’s Wi-Fi network.

Once a hacker managed to connect their own account to the Google Home speaker, they would have access to the smart devices in the victim’s home by initiating a phone call via the speaker, giving them the ability to hijack appliances, set up scheduled routines, and play music.

Meanwhile, many users were unaware of the smart speaker’s blue light alert that lights up when a phone was activated, assuming that the speaker was updating or was busy.

Google Update Addresses the Security Bug

Google has since prevented the ability to remotely add an account to a Google Home speaker with a patch that included a new invite-based system to handle account links, blocking any attempts by individuals not added on Home.

Phone call security was also fixed as well, with added protection to prevent remote initiation through the scheduled routine system.

Google’s smart displays now have an improved setup network that requires a QR code to log in, allowing it to be protected with WPA2, meaning that a hacker would need physical access to a device to connect their account.

Kunze said that Google Nest and Home devices were, for the most part, rather secure and did not offer a lot of attack vectors and that the vulnerabilities he discovered were pretty subtle.

Other than phone call privacy, he said that the most an attacker could do was to change some basic user settings.

The Epoch Times reached out to Google for comment.

Bryan S. Jung is a native and resident of New York City with a background in politics and the legal industry. He graduated from Binghamton University.
Related Topics