Heimdal
article featured image

Contents:

A vulnerability in Google Home speakers could have allowed threat actors to remotely listen in on user conversations. The issue was reported to Google by security researcher Matt Kunze, who won a bug bounty of $107,500.

According to Kunze’s technical summary of the flaw, an attacker within wireless proximity might potentially install a ‘backdoor’ account on the device. Once installed, threat actors could send commands to the speaker remotely over the Internet, access its microphone feed, and make arbitrary HTTP requests within the victim’s network.

A Vulnerability in Google Home Speaker Allowed Eavesdropping

Additionally, an attacker could access the victim’s Wi-Fi password and access other devices on the same network.

Kunze discovered the issue while investigating whether it was easy to add new users to the Google Home app. By linking an account to the device, Kunze was able to gain a lot of control over it. For example, a new account could send commands directly to the device using the cloud API.

The Attacker Could Gain Control via a Malicious App

To snoop on victims’ conversations, an attacker would have to trick them into installing a malicious Android app, which would connect the attacker’s account to the device. If the attacker completes all the steps in this scenario, they would be able to adjust the devices’ volume, call a specific phone number, and listen in on the victim using the microphone on the Google Home speaker, explains Cybernews.

According to the researcher, the only giveaway would be a blue LED on the device that “turns solid blue” when the speaker is on and the victim would assume the device is doing an update or performing some unimportant task.

The attack scenario and technical summary of the vulnerability are available on Matt Kunze’s blog here.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Madalina Popovici

Digital PR Specialist

linkedin icon

Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE