Hack raises security questions over Google smart speakers

It’s always there. Always listening.

Having a device like Google Home inside our house is pretty standard these days. From setting alarms to playing our favourite song using a simple voice command, the technology certainly comes in handy.

But have you ever felt uneasy about those always-active microphones?

Can we be sure our privacy is not being compromised?

IT professional and security researcher Matt Kunze was  messing around with Google Home one day when he made a concerning discovery.

In his blog, Kunze says “I noticed how easy it was to add new users to the device from the Google Home app. I also noticed that linking your account to the device gives you a surprising amount of control over it.”

Kunze was determined to find out if it was possible for an attacker to link their own Google account to someone’s Google Home and execute commands remotely on someone else’s network.

The result? Kunze, alarmingly, was able to turn his Google Home Mini into what could basically be described as a listening device.

Kunze says he was recently rewarded a total of $107,500 by Google for responsibly disclosing security issues in the Google Home smart speaker that allowed an attacker within wireless proximity to install a ‘backdoor’ account on the device, enabling them to send commands to it remotely over the internet,  access its microphone feed, and make arbitrary HTTP requests.

Using tools like man-in-the-middle proxy (mitmproxy) enabled Kunze to observe traffic between the Google Home application on a smartphone and the Google Home device.

From there, he discovered that a Google account could be linked to the device by sourcing its information via a local API, and then sending a request to Google’s servers with information to link it.

Kunze wrote a Python script that takes Google credentials and an IP address and then links the Google account to the device at the given IP address.

Kunze then tried to think from the perspective of an attacker.

“Just how much control over the device does a linked account gives you, and what are some potential attack scenarios? I first targeted the routines feature, which allows you to execute voice commands on the device remotely. Doing some more research into previous attacks on Google Home devices, I encountered the ‘Light Commands’ attack, which provided some inspiration for coming up with commands that an attacker might use.”

“The ‘routines’ feature allows you to create shortcuts for running a series of other commands (e.g. a ‘good morning’ routine that runs the commands ‘turn off the lights’ and ‘tell me about the weather).’”

Kunze says that through the Google Home app, routines can be configured to start automatically on our device on certain days at certain times.

“Effectively, routines allow anyone with an account linked to the device to send it commands remotely. In addition to remote control over the device, a linked account also allows you to install ‘actions’ (tiny applications) onto it.”

“When I realised how much access a linked account gives you, I decided to investigate the linking process and determine how easy it would be to link an account from an attacker’s perspective.”

Kunze was keen to come up with an attack that would work on all Google Home devices, regardless of how many other smart devices the user might have.

“I was trying to come up with a way to use a voice command to activate the microphone and exfiltrate the data.”

“All of a sudden it hit me: these devices support a ‘call [phone number]’ command. You could effectively use this command to tell the device to start sending data from its microphone feed to some arbitrary phone number.”

Kunze created a routine to execute the command ‘call my phone number’ on Wednesdays at 8:26 PM.

He had set up the routine one minute earlier, at 8:25 PM.

“A minute later, the routine executed on my Google Home, and it called my phone. I picked up the phone and listened to myself talking through the Google Home’s microphone. Pretty cool!”

“Later, through inspecting network requests, I found that you can specify not only the hour and minute to activate the routine at, but also the precise second, which meant I only had to wait a few seconds for my routines to activate, rather than about a minute.”

Kunze came up with the following attack scenario:

• Attacker wishes to spy on victim.
• Victim installs attacker’s malicious Android app.
• App detects a Google Home on the network via mDNS.
• App uses the basic LAN access it’s automatically granted to silently issue the two HTTP requests necessary to link the attacker’s account to the victim’s device (no special permissions necessary).
• Attacker can now spy on the victim through their Google Home.

On reflection, Kunze says “Google Home’s architecture is based on Chromecast. Chromecast doesn’t place much emphasis on security against proximity-based attacks because it’s mostly unnecessary. What’s the worst that could happen if someone hacks your Chromecast? Maybe they could play obscene videos?”

Kunze says the Google Home, however, is a much more security-critical device, because it has control over our other smart home devices, as well as a microphone.

“If the Google Home architecture had been built from scratch, I imagine that these issues would have never existed.”

“I’m guessing that the engineers behind these features were under the assumption that the account linking process was secure.”

“I tested everything on a Google Home Mini, but I assume that these attacks worked similarly on Google’s other smart speaker models.”

The big positive to come out of all of this? Kunze says the issues have since been fixed.

This article relates only to Google smart speakers, not other brands.

Google has been contacted for comment.