Google dismisses reported Home Hub security flaw
A security researcher discovered a series of commands that could be used to brick the Google Home Hub. According to Jeremy Gamblin, it’s possible to exploit a “undocumented (and amazingly unsecured)” API. It can be used to force the device to reboot or reveal data about a victim’s network.
Gamblin wrote in a blog post that after he purchased the Google Home Hub and set it up in his home, he noticed a number of open ports being used by the device. Curiosity got the best of him, and he started using the command prompt on his computer to text the smart display’s security. What he found was that it’s possible to force a reboot with a single line of code. After a bit more playing around, Gamblin was able to delete the Google Home Hub’s WiFi network, disable notifications and just generally be a pest.
For its part, Google seems far less concerned about the perceived security flaw than Gamblin. “A recent claim about security on Google Home Hub is inaccurate,” a spokesperson for Google told Engadget. “The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what’s been claimed, there is no evidence that user information is at risk.”
Essentially, for one to take advantage of such an exploit, they would have to be connected to the same network as the Google Home Hub they are trying to brick. While there should perhaps be other forms of authentication to prevent malicious actors from executing the code highlighted by Gamblin, requiring access to the same WiFi network is, in a sense, a form of authentication — assuming your device is on a password-protected network. Google has had security issues with its Home devices before, including one that revealed user location, but this doesn’t appear as serious. Any attempt to carry out an attack on the Google Home Hub using this method would have to be extremely targeted and couldn’t do much widespread harm aside from annoy an individual victim.
(24)