Hackers aren't going to brick your new Google Home Hub, but Google does need to fix a few things when it comes to the smart display's network security settings. Kind of.
It started when security advocate Jerry Gamblin did what a security advocate does and scanned his local network after he hooked up his Google Home Hub. He found which network ports were open and listening, and what they were probably configured to listen for.
I am not an IOT security expert, but I am pretty sure an unauthenticated curl statement should not be able to reboot the @madebygoogle home hub. pic.twitter.com/gCWFm5OfybI am not an IOT security expert, but I am pretty sure an unauthenticated curl statement should not be able to reboot the @madebygoogle home hub. pic.twitter.com/gCWFm5Ofyb— Jerry Gamblin (@JGamblin) October 27, 2018October 27, 2018
To most people, this doesn't mean much, but to others, it shows that:
- The Google Home Hub is an advanced Chromecast (or dumbed-down Android TV device, take your pick) and not an Android Things device like the Lenovo Smart Display and other similar products.
- It's probably "susceptible" to the same kinds of network commands that Chromecasts are, like this one that will force an OTA update if you would rather not wait in line.
We already knew that the Home Hub wasn't running the same operating system as other smart displays, as Ars Technica reported. Now we know a little more about what operating system it is running, and how to "talk" to it and make it do things.
Imagine Android with the things needed to install and run normal Android apps (Dalvik and Bionic if you're into this sort of thing) removed and a proprietary multicast DNS DIAL (the Discovery and Launch network protocol developed by Netflix and YouTube) style binary blob dropped in their place. If you knew how to communicate with that mDNS software, like say the Google Home app does, you could perform basic device functions using a command line network connection to those open ports Gamblin found.
Eureka! It turns out you can talk to that "secret" API that a Google Home Hub is using to communicate and all the things you can do are slowly but surely being documented.
This includes things like forcing a reboot or even a remote factory reset command. While not ideal, these won't "brick" your Google Home Hub like we've seen being reported, but you could be forced to open the Google Home app on a phone and reconnect. It's also important to remember that you need to be on the same local network as the Home Hub, so nobody can do any of this over the internet.
Google will have to find a way to clamp this down now that it's moved away from "hacker" forums like XDA and into the mainstream. The Google Home app still needs to be able to do everything it can do now, but a way to authenticate itself with a Home Hub so another device on the network can't connect needs to be implemented.
If you just want everything to work, you don't have to be too alarmed unless you have someone connected to your Wi-Fi that likes to mess with things. If you are one of those people who like to mess with things, I'd recommend you get on it now before Google locks down remote access to the undocumented — and mistakenly open to the public — API.
Either way, the sky isn't falling and your Home Hub is going to be just fine.
I can't tell you how much I appreciate your perspective on security matters.
was pretty worries, cause they said 'Smart Display' as well. Cause I own a Lenovo display(google assistant) which is acting as a main console and have everything else connected to it including a few home minis, hues, ring doorbell. Got my display around the same price as the home hub and got a bigger screen, more features, better speakers, and comes with a camera as well. Would still get a home hub on black Friday if it sells below $100 though haha
All indications are that it will be $50 off Black Friday and Cyber Monday!
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.