We can never be wary enough of connected devices! A researcher has discovered a security flaw allowing hackers to listen to conversations around Google Home Mini speakers to spy on their users.
Can connected speakers be used for spying? This is the question posed by Matt Kunze, a computer security researcher, who conducted a very instructive experiment. Thus, in January 2021, he discovered an astonishing security flaw in the connected speakers Google Home Mini – since renamed Nest Mini –, as reported Bleeping Computer. He immediately notified the Mountain View firm, which rewarded him with $107,500 for his find and which corrected the problem in April 2021 via an automatic update. It was only at the end of 2022 that the researcher published technical details as well as an attack scenario to show how the flaw could be exploited. Thus, hackers could take control of the smart speaker remotely and spy on the conversations around it by accessing the microphone. Fortunately, the manipulation was far from simple and it was limited to a particular device model, which reduced the risk of mass hacking. but she points to a potential malicious use of these connected speakers, yet so practical, to collect private data…
Google Home Mini: a microphone under control
The researcher found that, on a Google Home Mini, new user accounts added from the Google Home app were able to send commands remotely from the application programming interface (API) in the cloud . Something to interest people with bad intentions! To add yourself as a user without having the victim’s Wi-Fi password, it was enough to know the name of the device, the certificate and the cloud identifier of the local API to send a link request to the server Google by replicating the link request in a Python script. To from there, it was the door open to all sorts of abuse. These flaws could be exploited since 2018, when the planned routines were launched.
Indeed, the speaker allows you to perform all kinds of commands in the house, such as remotely unlocking connected locks, making online purchases, closing or opening the shutters – very practical for a burglary -, renaming the speaker, force restart it, make it forget stored Wi-Fi networks, force new Bluetooth or Wi-Fi pairings and play media on it. But, above all, the hacker can abuse the command “call [numéro de téléphone]” by adding it to a routine. It allows you to activate the microphone at the same time as the launch of a call to the hacker’s number, which thus has plenty of time to listen to the conversations taking place around the Compromised device The only way for the victim to know that their device is spying on them is by the blue display of its LEDs, which flash when the microphone is activated.
Fortunately, Google has since added protection to prevent the remote command from being triggered by routines. This is why, we can never stress enough, it is essential to check that the security updates of your devices – and not that the Google Home Mini – are regularly made. To note that some have features to physically block access to a microphone or camera.