Security News > 2022 > December > Researcher Uncovers Potential Wiretapping Bugs in Google Home Smart Speakers

A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices.

The problem, in a nutshell, has to do with how the Google Home software architecture can be leveraged to add a rogue Google user account to a target's home automation device.

In an attack chain detailed by the researcher, a threat actor looking to eavesdrop on a victim can trick the individual into installing a malicious Android app, which, upon detecting a Google Home device on the network, issues stealthy HTTP requests to link an attacker's account to the victim's device.

Taking things a notch higher, it also emerged that, by staging a Wi-Fi deauthentication attack to force a Google Home device to disconnect from the network, the appliance can be made to enter a "Setup mode" and create its own open Wi-Fi network.

The threat actor can subsequently connect to the device's setup network and request details like device name, cloud device id, and certificate, and use them to link their account to the device.

Regardless of the attack sequence employed, a successful link process enables the adversary to take advantage of Google Home routines to turn down the volume to zero and call a specific phone number at any given point in time to spy on the victim through the device's microphone.

News URL

https://thehackernews.com/2022/12/researcher-uncovers-potential.html