What you need to know
- Researcher Matt Kunze discovered hackers could've spied on people in their homes through Google's smart speakers.
- If access was gained, a "rogue" account would be able to listen in on your conversations, control your devices, and make online purchases.
- The issue was reported in January 2021 with Google fixing them by April that same year.
A critical issue within the Google Home speaker allowed ears to pry into users' homes without their knowledge.
Researcher Matt Kunze discovered the issues in January 2021 after experimenting with their Nest Mini (via Bleeping Computer). It was found that a new "rogue" account could be added via the Home app and would let the hacker control the device remotely through the cloud API.
Kunze found that to do this, the hacker would need the device's name, certificate, and the "cloud ID" from the local API. With all of this in hand, a hacker could send a link request for the device through Google's server. After going into the device as if they were a rogue user, Kunze unraveled multiple scenarios that could take place should a hacker do this to an unsuspecting person's device at home.
Researcher Kunze's found scenarios include the hacker's ability to unnervingly spy on people, but they could also make HTTP requests on your network or even read/write files on the device.
If this weren't unsettling enough, a hacker could remotely activate the call command of the smart speaker, enabling your device to call their phone at any given moment and listen in on conversations taking place in your home. In Kunze's demonstration video, the Nest Mini's four lights shine blue, which signals that there is a call taking place. However, anyone simply walking by in their home may not pay attention to this or might not attribute this to a call in a place.
Additionally, the hacker would've gained the ability to control your smart home switches, make online transactions, unlock your home and vehicle doors, and even leverage your PIN used for smart locks.
Kunze stated during his breakdown of how he found this frustrating vulnerability that none of this should be possible if you run the latest firmware. This is because when they reported this to Google in 2021, the company patched the problems in April of that same year. The researcher also received $107,500 as compensation for finding the critical flaw and reporting it in detail.
The researcher did state that Google's fixes include the need for an invite to the "Home" the device is registered to in order to link it to your account. Also, Google disabled the ability to activate a call command remotely through a routine. To further strengthen your security, Google smart home devices with a display, like the Nest Hub Max, are protected by a WPA2 password that is shown via an on-display QR code.
