A safety researcher was awarded a bug bounty of $107,500 for figuring out safety points in Google Home good audio system that might be exploited to put in backdoors and switch them into wiretapping units.
The flaws “allowed an attacker inside wi-fi proximity to put in a ‘backdoor’ account on the system, enabling them to ship instructions to it remotely over the web, entry its microphone feed, and make arbitrary HTTP requests inside the sufferer’s LAN,” the researcher, who goes by the title Matt, disclosed in a technical write-up revealed this week.
In making such malicious requests, not solely may the Wi-Fi password get uncovered, but in addition present the adversary direct entry to different units related to the identical community. Following accountable disclosure on January 8, 2021, the problems have been remediated by Google in April 2021.
The downside, in a nutshell, has to do with how the Google Home software program structure could be leveraged so as to add a rogue Google person account to a goal’s dwelling automation system.
In an assault chain detailed by the researcher, a menace actor trying to snoop on a sufferer can trick the person into putting in a malicious Android app, which, upon detecting a Google Home system on the community, points stealthy HTTP requests to hyperlink an attacker’s account to the sufferer’s system.
Taking issues a notch greater, it additionally emerged that, by staging a Wi-Fi deauthentication assault to pressure a Google Home system to disconnect from the community, the equipment could be made to enter a “setup mode” and create its personal open Wi-Fi community.
The menace actor can subsequently connect with the system’s setup community and request particulars like system title, cloud_device_id, and certificates, and use them to hyperlink their account to the system.
Regardless of the assault sequence employed, a profitable hyperlink course of permits the adversary to reap the benefits of Google Home routines to show down the amount to zero and name a selected cellphone quantity at any given cut-off date to spy on the sufferer by the system’s microphone.
“The solely factor the sufferer could discover is that the system’s LEDs flip stable blue, however they’d in all probability simply assume it is updating the firmware or one thing,” Matt mentioned. “During a name, the LEDs don’t pulse like they usually do when the system is listening, so there isn’t a indication that the microphone is open.”
Furthermore, the assault could be prolonged to make arbitrary HTTP requests inside the sufferer’s community and even learn recordsdata or introduce malicious modifications on the linked system that might get utilized after a reboot.
This isn’t the primary time such assault strategies have been devised to covertly eavesdrop on potential targets by voice-activated units.
In November 2019, a bunch of teachers disclosed a way referred to as Light Commands, which refers to a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible instructions into widespread voice assistants like Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri utilizing gentle.