Security researcher Matt Kunze says Google paid him a $107,500 bug bounty reward for responsibly reporting vulnerabilities in the Google Home Mini smart speaker.
The issues, the researcher says, could have been exploited by an attacker within wireless proximity to create a rogue account on the device and then perform various actions.
According to Kunze, the attacker could use the account to send remote commands to the device, over the internet, to access the microphone, and make arbitrary HTTP requests on the local network, potentially exposing the Wi-Fi password or accessing other devices directly.
Offering support for voice commands, Google Home smart speakers can be paired with Android devices using the Google Home application, which also allows users to link their accounts to the device, to issue various commands called ‘routines’.
“Effectively, routines allow anyone with an account linked to the device to send it commands remotely. In addition to remote control over the device, a linked account also allows you to install “actions” (tiny applications) onto it,” Kunze notes.
What the young researcher discovered was that an attacker could link an account to the smart speaker without the Google Home application, by tampering with the linking process.
For that, he intercepted the HTTP requests exchanged during the account linking and found that it basically consists of getting the device information (device name, certificate, and cloud ID) through the local API and then sending to Google’s servers a link request containing device information.
Kunze says he was able to replace the strings in the link request payload with rogue ones, thus creating a ‘backdoor’ account on the device.
The researcher then created a Python script to re-implement the linking process without the Google Home application and create the required payload to gain control of the smart speaker.
“Putting it all together, I had a Python script that takes your Google credentials and an IP address as input and uses them to link your account to the Google Home device at the provided IP,” Kunze notes.
An attacker exploiting this issue could create malicious routines to execute voice commands on the device remotely, including a ‘call [phone number]’ command, which can be set to activate at an exact hour, minute, and second.
“You could effectively use this command to tell the device to start sending data from its microphone feed to some arbitrary phone number,” the researcher notes.
One possible attack scenario, Kunze says, involves the user installing an attacker’s application that can detect the Google Home device and can automatically issue two HTTP requests that would link the attacker’s account to the device.
The researcher also discovered that, if the Google Home Mini is disconnected from the local network, it would enter a ‘setup mode’, creating its own network to allow the owner to connect to it.
An attacker within wireless range who does not know the victim’s Wi-Fi password could discover the Google Home device by listening for MAC addresses, send deauth packets to disconnect the device from the network and then connect to the device’s own network to request device information.
Next, the attacker could use the obtained information to link their account to the device over the internet, the researcher says.
Kunze also discovered that the functionality Google has made available to developers could be abused by an attacker to initiate a WebSocket to localhost and then send arbitrary HTTP requests to other devices on the victim’s LAN.
The researcher has published proof-of-concept (PoC) code demonstrating how an attacker could exploit these issues to spy on victims, make arbitrary HTTP requests on the victim’s network, and even read or write arbitrary files on the linked device.
Google, the researcher says, resolved the reported bugs by denying permissions to link accounts that are not added to Home, and by no longer allowing for ‘call [phone number]’ commands to be initiated remotely via routines.
While it is still possible to deauth a Google Home device, the ‘setup mode’ no longer supports account linking. Other protections were also added to the smart speakers.
Kunze says he initially reported the issues to Google in January 2021, when the internet giant said the behavior was intended. The bug reports were reopened in March 2021, after additional information was sent, and a reward was paid in April.
Google awarded the researcher a bonus in May 2022, one month after increasing the rewards offered for vulnerabilities in both Nest and Fitbit devices.
“While the issues I discovered may seem obvious in hindsight, I think that they were actually pretty subtle. Rather than making a local API request to control the device, you instead make a local API request to retrieve innocuous-looking device info, and use that info along with cloud APIs to control the device,” Kunze concludes.
Related: Google Pays Out Over $50,000 for Vulnerabilities Patched by Chrome 107
Related: Critical Vulnerability in Google’s Titan M Chip Earns Researchers $75,000
Related: Google Offering $91,000 Rewards for Linux Kernel, GKE Zero-Days