Security researcher Matt Kunze discovered a bug in Google’s smart speaker, the Google Home, which allowed for the creation of a backdoor account that could be used to remotely control the device and access the microphone feed. This could potentially allow an attacker to turn the device into a snooping device.
Kunze responsibly reported the issue to Google, and as a result, was rewarded with $107,500: the researcher also published technical details about the flaw and demonstrated how it could be exploited.
The issue was related to the process of adding new users to the device, which could be manipulated to allow unauthorized access. Kunze used a Python script to automate the exfiltration of local device data and reproduce the linking request needed to add a rogue user to the target device.
The researcher also found a way to abuse the “call [phone number]” command by adding it to a malicious routine that would activate the microphone at a specified time, call the attacker’s number, and send live microphone feed.
The device’s LED would turn blue during the call, which might be mistaken by the victim as the device updating its firmware.
According to the report, it was also possible to play media on the compromised device, rename it, force a reboot, force it to forget stored Wi-Fi networks, and force new Bluetooth or Wi-Fi pairings.
Google fixed the issues in April 2021 and implemented a new invite-based system to handle account links and added protection to prevent the remote initiation of the “call [phone number]” command through routines.
It is worth noting that the Google Home was released in 2016 and the Local Home SDK was introduced in 2020, so an attacker could have had plenty of time to exploit the issue before it was fixed.