SoylentNews is people
SoylentNews
Experts uncover Google Home flaw that could have affected user privacy:
Some Google Home smart speakers could have been hijacked to control the device remotely, and even listen in on people's private conversations, a security expert has claimed.
The bug was discovered by cybersecurity researcher Matt Kunze, who received $107,500 in bounty rewards for responsibly reporting it to Google.
[...] First, the attacker needs to be within wireless proximity of the device, and listen to MAC addresses with prefixes associated with Google.
After that, they can send deauth packets, to disconnect the device from the network and trigger the setup mode. In the setup mode, they request device info, and use that information to link their account to the device and - voila! - they can now spy on the device owners over the internet, and can move away from the WiFi.
But the risk is bigger than "just" listening to people's conversations. Many smart home speaker users connect their devices with various other smart devices, such as door locks and smart switches. Furthermore, the researcher found a way to abuse the "call phone number" command, and have the device call the attacker at a specified time and feed live audio.
Related: The Suspicion Becomes Real: Hackers Can Take Control of Alexa and Listen to You
(Score: 5, Insightful) by Ox0000 on Wednesday January 04, @03:35PM
These eavesdropping devices are explicitly designed to spy on your conversations. With any in the room, you no longer have private conversations. The owner of the device (which ain't _you_) is involved in every single one, and that owner has only one goal: extract resources from you.
The responsible disclosure game has become a farce! It is not responsible at all to allow the owner of those devices to fix it because then these things continue to exist; the right course of action is to wholesale eliminate these types of devices, to eradicate them from existence.
It would have served humanity much more if they just disclosed the flaw to the public, combined with the biggest advertisement campaign possible; heck, maybe they could have highly targeted home speaker owners via google advertisements to inform them of the trojan in their house.
Yes, I understand that this would make people who invited those devices into their home 'vulnerable', but there is an easy fix for for those people as well: unplug the things, whack them with a baseball bat until they are tiny pieces of dust, and voila: not vulnerable anymore. These are not things you cannot live without.
There was no justification to adhere to the farce that is 'responsible disclosure': if you care about end-user privacy, you don't go and be an enabler for these devices, you help get rid of them.