A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed.
A researcher discovered the issue and received $107,500 for responsibly reporting it to Google last year. Earlier this week, the researcher published technical details about the finding and an attack scenario to show how the flaw could be leveraged.
Compromise process
While experimenting with his own Google Home mini speaker, the researcher discovered that new accounts added using the Google Home app could send commands to it remotely via the cloud API.
Using a Nmap scan, the researcher found the port for the local HTTP API of Google Home, so he set up a proxy to capture the encrypted HTTPS traffic, hoping to snatch the user authorization token.
The researcher discovered that adding a new user to the target device is a two-step process that requires the device name, certificate, and "cloud ID" from its local API. With this info, they could send a link request to the Google server.
To add a rogue user to a target Google Home device, the analyst implemented the link process in a Python script that automated the exfiltration of the local device data and reproduced the linking request.
.png)
The attack is summarized in the researcher's blog as follows:
- The attacker wishes to spy on the victim within wireless proximity of the Google Home (but does NOT have the victim's Wi-Fi password).
- The attacker discovers the victim's Google Home by listening for MAC addresses with prefixes associated with Google Inc. (e.g. E4:F0:42).
- The attacker sends deauth packets to disconnect the device from its network and make it enter setup mode.
- The attacker connects to the device's setup network and requests its device info (name, cert, cloud ID).
- The attacker connects to the internet and uses the obtained device info to link their account to the victim's device.
- The attacker can now spy on the victim through their Google Home over the internet (no need to be close to the device anymore).
