A flaw in Google Home smart speakers could allow attackers to remotely eavesdrop on users’ conversations, according to security researcher Matt Kunze. Kunze reported the issue to Google and was rewarded with a $107,500 payout.
The attack works by allowing the hacker to remotely install their account on a device within the wireless network zone. From there, they can send commands to the speaker over the internet, access the microphone, and make arbitrary HTTP requests on the victim’s local network. The hacker could also potentially gain access to the victim’s Wi-Fi password and other devices on the same network.
To listen in on the victim’s conversations, the attacker would need to trick the user into installing a malicious Android app that would link the hacker’s account to the target device. Once the app is installed, the attacker can remotely change the device’s volume, make phone calls, and use the microphone on the Google Home speaker to eavesdrop on the victim.
The victim may not even be aware of the hack, as the only indicator of compromise would be a blue LED that lights up while talking on the phone. Kunze notes that the victim will likely think the device is updating or performing another routine task.
It’s important for users of smart speakers and other connected devices to be vigilant about the apps they install and keep their devices updated with the latest security patches. It’s also a good idea to regularly change passwords and enable two-factor authentication to further protect against hacking attempts.