One of the hurdles to the adoption of smart speakers is the worry that the digital assistants they carry and their accompanying hardware are prone to invasion. Naturally, all the manufacturers say they’re perfectly safe. But this week, one popular hacker disagrees.
Jerry Gamblin created a detailed post this week that reveals some limited but potentially harmful weaknesses in the Google Home platform. The research revealed that at least until Google puts in a fix, the Home Hub can be controlled remotely using an unsecured application program interface (API) that was originally discovered in Chromecasts.
Google says the API is there for setting up the device and does not expose user information, while its primary use is to communicate with other devices. But Gamblin clearly states that his hypothesis is that these weaknesses are well known to Google.
“I am genuinely shocked by how poor the overall security of these devices are, even more so when you see that these endpoints have been known for years are relatively well documented,” he writes. “I usually would have worked directly with Google to report these issues if they had not previously disclosed, but due to the sheer amount of prior work online and committed code in their own codebase, it is obvious they know.”
The hack isn’t all-inclusive to commands for the Google Home Hub but it’s definitely a security risk. The commands that Gamblin details could enable anyone to restart the entire Home Hub, delete the currently configured wireless network or disable notifications, such as those attached to safety devices like locks and alarms.
Android Authority reached out to Google, which said:
“All Google Home devices are designed with user security and privacy top of mind and use a hardware-protected boot mechanism to ensure that only Google-authenticated code is used on the device. In addition, any communication carrying user information is authenticated and encrypted.
A recent claim about security on Google Home Hub is inaccurate. The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what has been claimed, there is no evidence that user information is at risk.”
So basically, Google is confirming what Gamblin claims, but is warning people to keep their home network from being compromised.