To the average user, modern technology is a benefit to our lives. We’ve become accustomed to using smart devices to make our lives easier, allowing everything from ordering our groceries to controlling our appliances.
Each of these devices functions on a relatively simple API structure; plainly put: the software that allows two applications to speak to one another.
When you request something of your smart device, such as Google Home, API software processes your request and delivers the desired response. It was through this software that Matt Kunze, an “ethical” hacker, discovered a way in which he could access individual Google Home accounts without their wi-fi credentials and utilize them for various purposes, including spying.
In a blog post dated December 26, 2022, Kunze detailed how he remotely accessed individual accounts.
Kunze first ran a program to detect MAC addresses with prefixes associated with Google, Inc. Once discovered, he sent de-auth packets to disconnect the device from the network and enter start-up mode. From there, he could request the device info to include name, certification and cloud ID. Once retrieved, all that was left to do was reconnect to the internet and add himself as a new user to the target account.
Within moments, Kunze had gained access with the only potential notice to the victim being that the device’s LED would turn blue while the ‘call’ function was engaged, which may not be noticed or may be dismissed as a software update.
Kunze discovered and reported the issues in January of 2021, while Google reportedly made software adjustments in April of 2021, resolving the flaws that allowed the potential for a privacy breach. Google Home Speakers running on the latest software update are not at risk for this type of attack.
Among the fixes employed by Google were requiring an invite to be approved by the ‘home’ account before establishing new user as well as disabling the ability to initiate the “call” feature remotely. This removes the potential for speakers to be engaged and used as listening devices.
Kunze’s stated his efforts lead Google to reward him with a sum of $107,500 as a “bug bounty.” He also praised the base security of the devices that he encountered while engineering his hack.
“The low-level security of the device is generally quite good, and buffer overflows and such are hard to come by,” Kunze said. “The issues I found were lurking at the high level. Many thanks to Google for the incredibly generous rewards!”
In an effort to improve real-use security, Google launched a ‘Bug Bounty’ program in 2022, offering rewards from $100 and up for assistance in identifying and reporting vulnerabilities. A dedicated team of software engineers receives and investigates all reported vulnerabilities.