A bug in Google Home speakers left the door open for cybercriminals

Google Home was launched in 2016 and, since then, many homes have enjoyed its benefits. However, it has recently come to light that a bug in the speakers may have left the door open for cybercriminals. This has undoubtedly jeopardized the user privacy.

The person who has been in charge of the investigation has been Matt Kunze, a software engineer with extensive experience. The failed detected it in January 2021, but it was not until two months later that it came to light. What he revealed concerned everyone with Google Home speakers in the home: a security breach.

How was this bug discovered on Google Home speakers?

To detect this security flaw, what you did matt kunze was to use a script that he developed thanks to the Python programming language. This is considered high-level and is present in much of the development of web applications, software development and other tasks that programmers carry out on a daily basis.

Since Python is such an efficient language and its results are excellent, Matt Kunze did not hesitate to use it for his purposes. So, as soon as he used the created script to access the Google Home speakers, he did specifically with the Google Home Mini model, an unexpected error popped up in the system. Worst? She had been active for a long time.

Something that many users thought was that if the script was tested on the Google Home Mini, other versions could be free of said error. However, Matt Kunze made the relevant checks with all Google Home speaker models. The result was always the same. The error was present in all of them.

What did it mean to have found it?

The bug in the Google Home speakers opened the door for cybercriminals to set up what’s known as a backdoor account. This is a way to get into computers without being seen and without the need to authenticate. What happens with this is that all the information is exposed.

How is this achieved? Well, one of the first ways, as Matt Kunze explained, is get the firmware (code that controls what the hardware of a particular device has to do) directly from the provider’s website. Once accessed, you just have to download it. Then, an analysis of the application that interacts with Google Home is carried out. Thus, you get that valuable firmware.

However, there is a second way that cybercriminals took advantage of this bug in Google Home speakers.. It is about carrying out the MitM attack that intercepts all the information that is transmitted between the application and the device. Matt Kunze discovered that you could remotely send commands to add a new user to Google Home without too much trouble.

When Matt Kunze implemented the Python script, he realized that this left an avenue open for cybercriminals to gain access to the Google Home speakers. invading privacy of those who used them. The worst news is that they may have been taking advantage of this for many years.

Access to devices and espionage: the consequences of this error

The consequences of the error in the Google Home speakers did not wait. It was clear that all the conversations that people have near a device like this are being used by cybercriminals with the intention of stealing valuable information. Likewise, they could access both the WIFI network and other elements, such as the MAC itself that some users may have at home.

This access to WIFI was especially interesting thanks to the fact that, after sending several attacks, They managed to disconnect Google Home to connect it with another configuration and, thus, have full control. Fortunately, in April 2021, a patch was released for resolve this error that was bypassing people’s data protection.

All technology is vulnerable to errors, so relevant investigations are often necessary to fix anything that can compromise users who use devices like Google Home. For this, it is important keep them updatedas security enhancements that protect privacy are always being released.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *