A researcher discovered A bug in speakers of a ‘script’ developed by Python google home, offering the possibility to set up a backdoor account to remotely control these devices and spy on user conversations.
Python is a programming language used in a large part of web applications, software development, data science and machine learning. It is free to download and can be used on all systems.
A researcher named Matt Kunze announced the information he received recently. Financial compensation from Google for one of its latest findings focused on Google Home smart speakers.
Specifically, Kunze took $107,500 (approximately €100,615 at current exchange rate) for discovering a bug that allows a backdoor account to be set up on these devices, which cybercriminals can exploit to remotely control devices and spy on their users’ conversations.
researcher, who used a python ‘script’ to access the system of these devicesHe used a Google Home Mini for his experiment, although he admitted that such an attack had the same results on other models of the brand.
First of all, Kunze, at the beginning of his research “How easy it is to add new users to the device from the Google Home app”, as can also be read on the blog of connecting an account to the device.
With this, it revealed different ways that cybercriminals can choose to access speakers developed by Google. First of all, comment the option Get the ‘firmware’ of the device by downloading it from the provider’s website. A then it performs a static analysis of the application interacting with the device. In this case, Google Home.
Moreover communication may be interrupted between or between the application and the device and the provider’s servers using a man-in-the-middle (MitM) attack.
application used by the researcher google home and realized that commands could be sent remotely via the application programming interface (API) in the cloud. So it used an Nmap scan to find the device’s native HTTP API port and configured a proxy to capture encrypted HTTPS traffic.
After obtaining these data, learned that adding a new user to the target device requires both the user’s name and the loc API cloud ID and certificatefor. Specifically, to add a malicious user, you implemented this link in a Python script that reproduces the mount request.
In this sense, Kunze describes the most likely attack scenario in the event of an attack. cybercriminals would take advantage of such a backdoor. First, it indicates that when attackers try to spy on their victims near Google Home, they gain access to their unique identifier or MAC.
The attacker then sends authorization packets to disconnect the device from the WiFi network and view the Configuration mode. It then connects to this other configuration and asks for device information (name, certificate and cloud ID).
After connecting to the Internet and using the user’s data, it connects their account to the victim’s device.. From then on, you can only spy on the victim via Google Home or the Internet, without having to be near the device.
The researcher has posted three proofs of concept (PoCs) for these actions on GitHub, but stressed that these should not work on Google Home devices running the latest version of the ‘firmware’.
It should be noted that Kunze discovered this. Security breach in January 2021 and reported this issue to the company in March 2021. Just a month later, in April, Google had already fixed this issue with a security patch.
However, as advanced at Bleeping Computer, Google Home launched in 2016, with routine operations scheduled for its smart speakers only two years later; so that attackers could exploit this vulnerability for years.