Google’s smart speaker from the Google Home series was vulnerable to eavesdropping, as a security researcher has demonstrated. Google has since solved the problem and paid the researcher a bug bounty of just over $100,000.
In a detailed report the security researcher shows how he was able to gain access to the device within the wireless range of the speaker. Anyone who is registered on a smart speaker can, among other things, set routines to start automatically at certain times of the day. According to the researcher, an attacker could have created a routine that would have the loudspeaker call a specific telephone number in order to start an eavesdropping attack.
Attacker controls speakers
But how does unauthorized access to the speaker work? To find out, the security researcher eavesdropped on the smart speaker’s data communication. To do this, he set up a proxy using the mitimproxy tool and plugged into the connection as a man-in-the-middle. According to him, since Google has recently started using HTTPS in the LAN as well, he had to do a little tricking.
He rooted his test smartphone so that the Android system would trust mitmproxy’s Root CA. According to his own statements, he uses a Frida script to circumvent the SSL pinning security function. With Frida you modify apps with JavaScript.
He was then able to view the entire encrypted data traffic. The security researcher gained knowledge about how to link Google accounts to the speaker. Based on this, he created a Python script. Based on a Google account’s credentials and the IP address of a Google smart speaker, he was able to link the account to the speaker.
Possible attacks
An attacker could have used the script to create an app and foisted it on a victim. After running the app, the speaker would be compromised. According to the security researcher, however, an attack could also work without a victim playing along.
An attacker would have to be within wireless range of the smart speaker for this to work. Access to the victim’s WLAN is not necessary for this. Now the attacker would have to find the MAC address of the speaker. There are arguably prefixes associated with Google Inc. An attacker could then put the device into setup mode with certain packages. He can then link an account to the speaker over the Internet using the device information he has received and also spy over the Internet.
security problem solved?
To stop this, Google has tightened the account link process and the Call [phone number]-Routine locked for remote use. According to the security researcher, the problem is that Google Home architecture is based on Chromecast. Chromecast, on the other hand, has hardly any security measures against man-in-the-middle attacks. As a result, other devices in the Google Home series could also be attacked in this way.
(of)