At least until April 2021, Google speakers like the Google Home Mini were supposed to have allowed strangers to listen in unnoticed. The security gap has long since been closed, but the details are not really pleasing.
Google speaker with security hole
For a long time, there was a gaping security hole in Google speakers such as the Google Home Mini, through which strangers from the outside could simply listen in unnoticed. This was reported by a security researcher on his blog, who had tested the gap with his own speaker.
On his blog, the researcher reveals that Google paid out a reward for reporting the gap in April 2021, after which reports of the gap closing stopped. This was followed by further bonus payments to the researcher by April 2022, meaning he received a total of $107,500 from Google.
Researcher receives over $100,000 from Google
In his post, he also goes into detail about how the vulnerability could be exploited, how he tested it, and gives more technical details for anyone interested.
“I was recently rewarded a total of $107,500 by Google for responsibly sharing a vulnerability in Google Home smart speakers that allowed attackers in wireless range to install a “backdoor” account on the device,” the researcher said.
This could be used to send commands to the smart speakers over the Internet, access the microphone feed and make arbitrary HTTP requests on the victim’s LAN. It could even apparently be used to read the WLAN password, while attackers could potentially gain direct access to other victims’ devices.
“These problems have since been fixed,” the researcher concludes in the introduction. Good to know, even if of course this doesn’t cast too good a light on smart speakers and them in particular in the Google ecosystem.
Only recently, in August 2022, a security vulnerability was discovered in Google Chrome, which could also be closed shortly afterwards via an update.