Security Researcher Exposes Alarming Wiretap Flaw In Google Home Smart Speakers

Earlier this year, Google awarded a security researcher $107,500 for finding vulnerabilities in the company’s smart speakers. The researcher demonstrated that these vulnerabilities could be leveraged to link secondary accounts to Google smart home devices, then control the devices for nefarious ends, including eavesdropping on the owners of the devices. Fortunately the researcher reported this vulnerability to Google, rather than abusing it, but there’s no telling whether he was the first to discover and exploit these vulnerabilities.

Google smart home devices are designed to be controlled by phones running the Google Home app. This app communicates with smart devices over HTTPS, which is an encrypted communication protocol. However, the researcher discovered that he could use a rooted Android phone and a script found on GitHub to intercept and decrypt this HTTPS traffic, letting him read the traffic in plaintext form. Then, by reading the communications between his Google Home Mini and his phone running the Google Home app, the researcher was able to determine the precise requests used to add a Google account to a Google smart home device.

Armed with this knowledge, the researcher was able to craft and transmit a custom request to his Google Home Mini that linked a second Google account to the device. In doing so, the researcher proved that any unauthorized party could discreetly park near a house containing a Google smart home device and wirelessly link a “backdoor” Google account to said device. Once this account link is established, the threat actor could leave the area and issue commands to the smart device remotely.

The researcher also discovered that a threat actor could abuse this unauthorized access to perform multiple malicious actions. Perhaps the most disturbing exploit demonstrated by the researcher is the ability to create a phone call routine on a compromised device. This routine function calls a specified phone number and transmits audio from from a smart device’s microphone. Notably, Google smart home devices don’t emit any audible notice when a phone call is placed nor do the LEDs pulsate as they usually do when the microphone is active; the LEDs simply glow blue instead. Thus, a threat actor could set up a phone call routine to listen in on conversations taking place in a house occupied by a compromised smart speaker.

On top of eavesdropping, the researcher found that a threat actor could leverage unauthorized access to Google smart home devices to issue arbitrary HTTP requests on the networks to which these devices are connected, giving threat actors access to victims’ internal networks. The researcher also demonstrated the ability to read and write arbitrary files on compromised devices.

Thankfully, Google has now fixed these vulnerabilities by adding multiple security improvements to the account linking and setup processes. Hopefully, then, threat actors should no longer be able to exploit smart home devices in the ways demonstrated by the researcher. However, we don’t know whether any threat actors discovered and exploited these vulnerabilities in the wild before Google addressed them.