The bug was discovered by cybersecurity researcher Matt Kunze, who received $107,500 in bounty rewards for responsibly reporting it to Google.
Kunze, who was investigating his own personal Google Home mini speaker for possible issues, explained in a blog post how he found a way to add another Google account to the device, which would be enough to be able to eavesdrop on people.
Adding rogue accounts
First, the attacker needs to be within wireless proximity of the device, and listen to MAC addresses with prefixes associated with Google.
After that, they can send deauth packets, to disconnect the device from the network and trigger the setup mode. In the setup mode, they request device info, and use that information to link their account to the device and - voila! - they can now spy on the device owners over the internet, and can move away from the WiFi.
But the risk is bigger than “just” listening to people’s conversations. Many smart home speaker users connect their devices with various other smart devices, such as door locks and smart switches. Furthermore, the researcher found a way to abuse the “call phone number” command, and have the device call the attacker at a specified time and feed live audio.
The bug was discovered in early 2021 and patched up by April 2022, with Google addressing the issue by creating a new invite-based system for account linking, blocking any accounts not added on Home.
That being said, to make sure there is no risk, Google Home users are advised to update the endpoint’s firmware to the latest version as soon as possible.
- Check out the best endpoint protection services around
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.