A security researcher has won a $107,500 bug bounty after discovering a way in which hackers could install a backdoor on Google Home devices to seize control of their microphones, and secretly spy upon their owners' conversations.
Vulnerability hunter Matt Kunze initially reported the problem to Google in early 2021, after experiments with his own Google Home smart speaker noticed the ease with which it added new users via the Google Home app.
Kunze discovered that connected users could send commands remotely to paired Google Home devices via its cloud API.
In a technical blog post, Kunze described a possible attack scenario:
According to Kunze, a malicious hacker who has successfully linked his account to the targeted Google Home device can now execute commands remotely: controlling smart switches, making purchases online, remotely unlock doors and vehicles, or opening smart locks by brute-forcing a user's PIN.
Kunze even determined that he could exploit a Google Home speaker's "call <phone number>" command, effectively transmitting everything picked up by its microphone to a phone number of the hacker's choice.
Thankfully, Kunze's responsible disclosure of the vulnerabilities to Google mean that none of the security flaws should be possible to exploit any more. Google fixed the security holes in April 2021, although details have only been made public now.
Of course, that does mean that for some years millions of people were purchasing vulnerable Google Home smart speakers unaware that they could be putting their privacy and security in danger.
Voice-activated devices have been proven to be vulnerable to covert snooping in the past due to vulnerabilities, and it would be a brave person who bet that they won't be again. The widespread adoption of smart speakers in both the home and office has made them a potential headache for those who prioritise their privacy and security over convenience.