The researcher discovered while experimenting with the Google Home speaker that new accounts registered using the Google Home app could control it remotely through cloud API.
The researcher says that the attacker would have to be in wireless proximity to a Google Home speaker but won’t have the Wi-Fi password of the user he’s trying to spy on. He can come to know the victim’s Google Home speaker by scanning MAC addresses related to Google Inc.
Then the attacker disconnects the device from its network and makes it enter the setup mode. After that, the attacker connects to the setup network of the device and then collects information about the device. Then the attacker connects to the internet to join their account to the speaker and can spy on the victim using the speaker.
It was mentioned that this attack will not be successful if you’re using the latest firmware version.
If a hacker’s fake account gets linked to a Google Home speaker, it can perform different actions to harm the user’s privacy and security such as making online purchases, smart switch control, unlocking doors and vehicles remotely, and infiltrating the victim’s PIN code for smart locks.
The hackers could automatically set a microphone in the speaker to start a call with the hacker’s phone number. This would allow the hacker to listen to and spy on the victim’s conversations. The only way to notice that the call is taking place is by checking the device for a blue LED light but the victim may mistake this for the device updating its firmware.
Moreover, the hacker can play different media to creep the victim out, force the speaker to reboot itself, rename the speaker, make it forget the Wi-Fi networks, and make new Wi-Fi or Bluetooth connections.
This issue was discovered by the researcher Kunz in January 2021 and all the problems were fixed by April 2021 by Google. In the patch, there’s an invite-based mechanic to handle all account links which stops any outside interference other than those connected to Home.
However, the call also received new protection so it can’t be remotely turned on and requires authorization.
Read next: Minecraft Secures Top Spot For Most Popular Video Game Of Gen Z In 2022