Smart speakers, such as Google Home, have become increasingly popular in recent years due to their convenience and functionality. They allow users to control their home, access information and play music using voice commands. However, a security researcher recently discovered that these devices may not be as secure as consumers think. The researcher, who goes by the name Matt Kunze, Published a technical paper. Earlier this week it detailed the vulnerabilities it discovered in the Google Home smart speaker.
The researcher began investigating Google Home after seeing how easy it was to add new users to the device from the Google Home app. It found that linking an account to a device gives the user a considerable amount of control over it, including the ability to create “routines” – shortcuts to run a series of commands – and “actions”. (small applications) to install.
Kunze became concerned about the potential security risks when he realized that any account connected to the device could send commands to it remotely through the “routines” feature. He then decided to investigate the linking process to see how easy it would be for an attacker to link the account and potentially gain access to the device.
To investigate further, Kunze wanted to intercept and analyze traffic between the Google Home app and the Google Home device, as well as between the app and Google’s servers. To do this, he set up a proxy server using mitmproxy and configured his phone to route all traffic through the proxy. However, Google had started using HTTPS, which made intercepting traffic more difficult. To bypass this, Kunze used a rooted phone and Freda script to bypass SSL pinning and successfully intercept encrypted traffic. He then reviewed the link process between Chromecast and the Google Home app, and was able to copy it to successfully link his account to the Google Home device.
After looking at the network information, Kunze found a POST request made to Google’s servers to a specific endpoint with a protocol buffers payload, which he was able to decode using the protocol tool. . By modifying this request and replacing the Chromecast information with Google Home information, he was able to successfully link a new account to Google Home. He then created a Python script that used the gpsoauth library and a .proto file to recreate the process of linking a new account to a Google Home device without the need for an app.
The researcher found that it’s easy to disconnect a nearby device from its Wi-Fi network by sending a “dauth” packet to the target device and putting it into “setup” mode. Google Home Mini does not support encrypted management frames (802.11w or WPA3), which makes it vulnerable to this type of attack. The researcher demonstrated this by using aircrack-ng to launch a data attack on his Google Home, causing it to disconnect from the network and make itself known. Kunze was able to connect to the new network and use netstat to get the IP of the router (Google Home) and successfully issue a local API request.
This way the researcher was able to link and control his Google Home Mini remotely. He also observed that the victim may not notice any unusual activity, as the device’s LED will turn solid blue, which is usually associated with firmware updates, and microphone activation during a call. The indicator will not pulse.
Here’s what it looks like when the call is initiated remotely.
Kunze summarized a possible attack scenario as follows:
- The attacker wants to spy on the victim. An attacker can get within wireless proximity of Google Home (but doesn’t have the victim’s Wi-Fi password).
- The attacker discovers the victim’s Google Home by listening for MAC addresses with prefixes associated with Google Inc. (eg E4:F0:42).
- The attacker sends a death packet to disconnect the device from its network and put it into setup mode.
- The attacker connects to the device’s setup network and requests its device information.
- The attacker connects to the Internet and uses the obtained device information to link his account to the victim’s device.
- An attacker can now spy on the victim through their Google Home on the Internet (no need to be close to the device anymore).
Also published by Kanze. Three Proof of Concepts (POCs) on GitHub Although none of them work anymore because Google has already fixed the security flaws. Repositories serve to document and preserve instances.
Google fixed the vulnerabilities with a patch in April 2021 that included a new invitation-based system for handling account links and blocked any attempts not to join the home device. The patch also made it impossible to deauthenticate the device in a way that could be used to link a new account and made the native API inaccessible. In addition, Google added protection to prevent remote initiation of “calls”. [phone number]“Command via routine.
It’s worth noting that these vulnerabilities existed for a long time before they were discovered and fixed, as Google Home was released in 2016 and the vulnerabilities weren’t patched until 2021.
Smart home devices are becoming increasingly common in homes and offer convenient features and functionality, but they also pose potential risks to consumer privacy and security. It is important for manufacturers to prioritize security in the development of these devices to protect consumer privacy and prevent potential misuse.
Kunze was awarded a $107,500 bug bounty for his work.
Source: Matt Kinze through: The Hacker News, Bleeping computer
For those interested in attending. Bug Bounty Program And to help identify and report security vulnerabilities, Google offers a platform called Google Bug Hunter.
