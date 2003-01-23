Experts uncover Google Home flaw that could have affected user privacy:
Some Google Home smart speakers could have been hijacked to control the device remotely, and even listen in on people's private conversations, a security expert has claimed.
The bug was discovered by cybersecurity researcher Matt Kunze, who received $107,500 in bounty rewards for responsibly reporting it to Google.
[...] First, the attacker needs to be within wireless proximity of the device, and listen to MAC addresses with prefixes associated with Google.
After that, they can send deauth packets, to disconnect the device from the network and trigger the setup mode. In the setup mode, they request device info, and use that information to link their account to the device and - voila! - they can now spy on the device owners over the internet, and can move away from the WiFi.
But the risk is bigger than "just" listening to people's conversations. Many smart home speaker users connect their devices with various other smart devices, such as door locks and smart switches. Furthermore, the researcher found a way to abuse the "call phone number" command, and have the device call the attacker at a specified time and feed live audio.
Related Stories
The suspicion becomes real: hackers can take control of Alexa and listen to you:
This is a novel method of taking control of a person's Echo speaker. "An attacker could then use this listening function to set up a social engineering scenario where the skill pretends to be Alexa and responds to user statements as if it were Alexa," vulnerability researcher Sergio Esposito told The Register.
Amazon has already patched most of the vulnerabilities, except for one in which a Bluetooth-paired device was able to play audio files created through a vulnerable Amazon Echo speaker, Esposito confirmed. A vulnerability tracked as CVE-2022-25809 which has been assigned a Medium severity level .
Paper (pdf) at arxiv.org.
YouTube video demonstrating an attack.
See also: Ars Technica.