Google Home speakers were vulnerable to eavesdropping hackers

No matter whichgreat smart speakeryou pick for your home, the premise is always the same: You need to trust the company behind it with your voice recordings and other peripheral sounds of your home. But whenever computers are involved, vulnerabilities exist and can be exploited. This is the case for Google Home smart speakers, too. A researcher spotted a way to eavesdrop on Google smart speakers in proximity.

Security researcher Matt Kunze noticedthat setting up a Google Home speaker with a Google account was pretty easy, all while bringing a ton of powerful tools to the account owner (viaBleeping Computer). Once an account is set up, it’s possible to control smart home devices, create and start routines, and even make phone calls.

4

Kunze was interested to see if it was easy to connect a new Google account to a Google Home speaker. With physical proximity to the speaker, that turned out to be an easy task—even without access to the Wi-Fi network that the speaker is connected to. It’s done by remotely putting the Google Home into its setup mode and then injecting a different Google account, and then re-connecting it to the victim’s Wi-Fi network.

Once a hacker manages to connect their account to the Google Home speaker, they get access to the smart devices in the victim’s home. The bad actor could operate switches, play music, turn on and off appliances, and more. A hacker can also initiate a phone call via the smart home speaker, making it possible to record everything happening in the victim’s home. While in a phone call, the smart speaker’s lights turn blue, but if the victim is someone who doesn’t use this feature or isn’t well versed with Google Home’s options, they might just assume the speaker is updating or otherwise busy.

philips-hue-color-bulb-nest-audio-hero-orange

Kunze disclosed the issue to Google in March 2021 after first discovering the problem in January 2021. Google has since paid out a little over $100,000 for the report and fixed the issue. It is no longer possible to add an account to a Google Home speaker remotely, even if it’s still possible to remotely activate the setup mode. Phone calls as made in the video are also no longer possible, as you can’t make them part of routines anymore.

Meanwhile, Google’sexcellent smart displaysoffer a more protected setup thanks to their ability to show a QR code when you set them up. That way, their setup network can be protected with WPA2, which means an attacker would need physical access to the device itself to connect their account to it.

Google Home icon with some gadgets around it.

Despite the hack, the security researcher affirms that Nest and Home devices are extraordinarily secure for the most part and don’t offer a lot of attack vectors. He says that the vulnerabilities he discovered were pretty subtle, and that usually the most an attacker could do is change some basic settings.

Broader branding hints at wider paid-tier ambitions

Samsung Notes logo in front of image containing S Pen and devices using Samsung Notes

The note-taking app I should have used all along

you’re able to now learn languages too

Google Translate app’s home page with text, voice, and camera input options

Get 14 ports for $170

New tablets coming September 4

No more excuses