Security research expert Matt Kunze reported a serious vulnerability of Google Home to Google last year, and recently won a high bounty of US$107,500 (about 749,000 CNY) from Google.
A vulnerability has been found on the Google Home smart audio device, which allows attackers to install a backdoor account for remote control and activate the microphone for listening to user conversations. Kunz disclosed all the technical details of the vulnerability and how it could be exploited earlier this week.
Kunz scanned through Nmap and found the port of Google Home’s local HTTP API. So he set up a proxy to capture encrypted HTTPS traffic, hoping to hijack user authorization tokens.
The researchers discovered that adding a new user to a targeted device is a two-step process that requires the device name, a certificate, and a “cloud ID” from its local API. With this information, they can send a link request to a Google server.
Even more worryingly, the researchers found a way to abuse the “call [phone number]” command, adding it to a malicious routine that would activate a microphone at a specified time, call the attacker’s number and Send a live microphone feed.
Kunz discovered the issues in January 2021 and sent more details and a PoC in March 2021. Google fixed everything in April 2021.
