A researcher exposed a vulnerability in a Python-based script used with Google Home smart speakers, which could enable a backdoor account for remote control and eavesdropping on user conversations.
Python remains a widely used programming language across web development, data science, and machine learning. It is free to download and runs on many operating systems, attracting developers to build diverse applications.
The disclosure came from a researcher identified as Matt Kunze, who reported recent findings and noted financial compensation from Google related to a vulnerability involving Google Home devices.
According to Kunze, he received 107,500 dollars for uncovering a flaw that could allow a backdoor account to be created on these devices. Such access could let cybercriminals remotely control devices and monitor conversations without the user’s knowledge.
The researcher, who demonstrated a Python-based script to access Google Home systems, used a Google Home Mini for testing but indicated that similar results were possible on other models from the same brand.
The initial research, titled How easy it is to add new users to the device from the Google Home app, outlined on a blog how a connected account to the device could be established and what that means for device security.
Kunze outlined several avenues cybercriminals might exploit to reach Google Home speakers. First, attackers could download the device firmware from the provider’s site to study its workings. A static analysis of the app interacting with the device could reveal weak points in the Google Home ecosystem.
Further, interruptions in communication between the app, the device, and the provider’s servers could enable man-in-the-middle attacks, compromising data in transit.
The research used the Google Home app to observe that commands might be sent remotely via a cloud-based application programming interface. An Nmap scan helped identify the device’s native HTTP API port, and a proxy was configured to capture encrypted HTTPS traffic for analysis.
From the gathered data, it appeared that adding a malicious user would require the user’s name and the cloud ID along with a certificate. A Python script could reproduce the necessary mount request to simulate this process.
Kunze described a likely attack scenario: cybercriminals could exploit the backdoor to spy on victims by obtaining the device’s unique identifier or MAC address, then disconnect the device from Wi-Fi to reach a configuration mode. They would retrieve device information such as name, certificate, and cloud ID to complete the compromise.
Once connected to the Internet and using the victim’s credentials, the attacker could link the device to the wrong account, enabling surveillance through Google Home or remote channels without proximity to the device itself.
The researcher posted three proofs of concept on GitHub to illustrate these actions, while mattering that these demonstrations should not succeed on devices running the latest firmware. It is important to note that Kunze reported the breach in January 2021, informed Google in March 2021, and Google released a security patch the following month, in April 2021.
As observed by security outlets, Google Home has been available since 2016, with broader capabilities rolling out a couple of years later. That timeline suggests that, prior to patches, vulnerable configurations could have persisted for years, underscoring ongoing concerns about smart speaker security and the need for timely updates and robust authentication measures. (Attribution: Bleeping Computer; historical coverage of the Google Home vulnerability and patch timeline)