You must log in or register to comment.

chrisdh79 OP t1_j249zs8 wrote

From the article: A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed.

A researcher discovered the issue and received $107,500 for responsibly reporting it to Google last year. Earlier this week, the researcher published technical details about the finding and an attack scenario to show how the flaw could be leveraged.

While experimenting with his own Google Home mini speaker, the researcher discovered that new accounts added using the Google Home app could send commands to it remotely via the cloud API.

Using a Nmap scan, the researcher found the port for the local HTTP API of Google Home, so he set up a proxy to capture the encrypted HTTPS traffic, hoping to snatch the user authorization token.


Supafly22 t1_j24c4tj wrote

Jokes on them. All they’ll hear is me and my wife arguing about how much seasoning I use when I cook.


coyote-1 t1_j24mf3i wrote

I’m not conspiring to bring down the republic, so they ain’t coming after me.

Matter of fact, they are barely going after folks who did in fact try to bring down the Republic!

So I don’t think any of us have much to worry about.


asdaaaaaaaa t1_j24nc8i wrote

Bug/vulnerability bounties are a pretty good way to getting results, especially for those hard to figure out ones that deal with a specific issue. Otherwise, there's a much bigger incentive to sell the vulnerability to someone else, or use it for nefarious reasons.


OldDefinition1328 t1_j24pajy wrote

Guugle spying on people??? THEY'D NEVER DO THAT, WOULD THEY? Oh, they will... OK...


JustYerAverage t1_j24ppgo wrote

What a COMPLETE surprise! No, no, no - this is certainly unpossible! /s


beebog t1_j24q1d9 wrote

idk how people can have these items in their home and reasonably think they’re not being listened to


718Brooklyn t1_j24uetg wrote

Everyone kept saying the same thing. “Why did we get this stupid Google home speaker? I hope someone comes and steals it.”


snortgiggles t1_j24umwt wrote

These days it says, "I'm sorry I can't help with that," but once a few years ago it said, "I can't be sure but the couch is a good place to start."

LOL I bet it freaked people out so they had to remove it.


xl_RENEG4DE_lx t1_j24xpcg wrote

If hackers are listening... They are the ONLY ONES! Mine ignores me until I get hostile!


katycake t1_j24zumi wrote

"I'm sorry Dave..."

Speech recognition software was a mistake. Overrated.

The algorithm is able to track words spoken in streams, and prevent users from saying what they actually want to say, or the Ads get pulled.


Reggie_Barclay t1_j251jrl wrote

I hope people enjoy my octogenarian parents discussing medication.


l397flake t1_j252pv6 wrote

Personal data is the coin of the internet. Any device that accesses your network including your phone can gather and transmit data back to companies like google, apple, hackers etc.


1cheekykebt t1_j2557ux wrote

ITT: People who didn’t read the article and freaking out.

The article gives step by step of what happens in order for this to occur. And it involves the “hacker” being in close proximity, forcing google home to disconnect from network, adding the google home to their own account, and then calling the device which has visual cues that’s the device is in a call.

Given that the infiltrator has to be physically present I don’t think it’s that big of a deal. No one would actually do this if they had malicious intent, they would just set up their own listening devices if the wanted to hear inside your home.


TechTalkf t1_j257sz2 wrote

I put mine back in the box like 3 months ago mainly because Google Assistant has gotten so bad lately to the point of being kinda useless.


North_South_Side t1_j2595po wrote

I just don't ee the appeal of these things at all. I've been to friends' houses where they have shown off the capabilities... and it's not very impressive at all. Sure "Play salsa music" will get it to play salsa music, but... who cares?

These things are largely solutions looking for a problem.


nathan555 t1_j259klq wrote

And yet I can't stop an alarm when I'm standing directly in front of it yelling.


beebog t1_j259pld wrote

“ok google, family room light on”

like have we really devolved to this point lol. do you think i should start saving up for my wall-e scooter now or just take out a loan when the time comes


ChapterN7 t1_j25dfx1 wrote

I care. I like that I can just tell it to play whatever song I want, and it starts up a whole playlist based on that song. How's the weather tomorrow? What's the news? Turn off all the lights. Turn the TV on and go to this or that channel. Where's my stuff (amazon delivery)? Set an alarm for 5AM. Set a timer for 15 minutes. Play this or that audiobook.

List goes on and on. I know it's all the rage to hate on these things while the cellphone on your desk carries all the same vulnerabilities, but I've found them to be pretty convenient in a lot of ways.


Phenomenon101 t1_j25fakb wrote

Forgive me if I'm wrong, but isnt this just MAC spoofing?


jacesonn t1_j25hbew wrote

This. I know mine listens to me, but it's not like I'm spilling government secrets in my kitchen. If hackers want to listen to me badly sing along to disco that's their problem, not mine


stripybaby t1_j25hsyf wrote

My mom has COPD and it can difficult or tiresome for her to move around her house. When she was staying with me she enjoyed being able to vocally turn off a light instead of using her energy to go do that. She did think is was creepy at times and worried about someone may be listening to her, but overall she felt it helped her. I can see the benefits in those situations for people who aren’t as able bodied as others.


androidusr t1_j25ji51 wrote

There's a lot of cheap wifi lightbulbs and wifi outlets that people buy from Amazon, and then install some app that works with the lightbulb. So it's easier than ever to be on someone's lan, jumping from a cheap microcontroller to other hardware.


beebog t1_j25kgex wrote

i mean yeah absolutely that makes sense for accessibility or adapting a space for better independence, but i do believe that those circumstances are in the minority


beebog t1_j25my8n wrote

i have the paranoia where i don’t believe the switch is honestly cutting the mic lol, i will just continue to not have one of these. standard battery powered bluetooth speakers haven’t led me astray yet


dreamingabout t1_j25psmd wrote

All my lights are smart lights and I generally control them through my google home devices, it’s convenient to just say “hey google turn on the hallway light”. Or my fan or air purifier, it’s nice not having to get up to shut them off or turn them or look at my phone to shut the smart plug off when I’m still half asleep in the morning. I’m having issues with my new tv, but previously I could go “hey google skip 1:30s of this show” to get through intros. It’s obviously not for everyone, but I enjoy the convenience of controlling my home with just my voice.


The_Troyminator t1_j25q0dj wrote

This is where they shine. When my hands are covered in batter and I need to set a timer, voice is awesome. It's also nice when a recipe has step-by-step instructions you can trigger by voice. The intercom functionality is kind of nice too. It's an easy way to get people to come down when dinner is ready.


The_Troyminator t1_j25qdux wrote

That's why all my IoT devices are on the guest network which only gives them internet access and blocks them from seeing any other device on the LAN. If one gets compromised, they can't reach anything else on my network.


North_South_Side t1_j25qqv5 wrote

I can see some upsides. But the one friend who was demonstrating it for me had similar issues like you had. He said he had everything set up really well for a while, then it stopped working perfectly. He re-adjusted it over and over. Then eventually instead of fixing it, he just started turning lights on manually like before. I think he started having troubles when they added more stuff to it, and it just plain didn't work with his new TV.


The_Troyminator t1_j25qtht wrote

Once they set it up, they can listen in from anywhere. However, they still need to be within wifi-range to set it up. If anybody does this, it will likely be a neighbor or somebody with a reason to target you. I can't imagine people driving around trying to do this to random devices.


KDN1692 t1_j25yyrv wrote

It's going to be the most boring conversation of their lives.


BaneThoth766 t1_j2601k4 wrote

If it’s hooked up to the internet it’s hackable lol.

Why you would want to listen to peoples convos is beyond me tho


EssVeeUU t1_j26184q wrote

I disagree, I bought a hub because I have a friend who wanted to give me their old nest (eventually). It's a godsend when you have children. Turn off the light, set an alarm for bedtime every night, throw on a YouTube video when I need a quick distraction. It definitely has its benefits with little ones involved. There's a shopping list feature too I haven't gotten to play with but could be very beneficial with one person out and the other at home physically checking for items and adding to the list.


dreamingabout t1_j267amx wrote

Yeah previously I had a chrome cast and stuff so it worked pretty seamlessly with my google voice, but now I just have a smart tv and it wants me to do voice commands using their remote and I haven’t been able to properly connect them.


mauser98 t1_j267k7x wrote

I will never have an Alexa or one of these in my home


dotnetr t1_j26akka wrote

People in this thread typing with their personal wiretaps complaining about a known wiretap connected in the home.


madpiratebippy t1_j26cemr wrote

I mean duh. Cordless phones are also insecure devices.

If a hacker really wants to listen to me telling my wife we need more onions, or that I burned dinner again, their life is boring af.


beebog t1_j26hovx wrote

i guess that’s fair, i have littles at home too, honestly i feel like i would just probably forget to use it if i had it lol. these things have never seemed worth it to me but i’m glad there’s people who enjoy them! im definitely not much of a consumer in many ways. i have a couple friends who basically have their whole apartments fitted with these or the amazon alexa one though

are your kids able to make online orders / purchases from these? that’s a deterrent also i’ve seen with the amazon ones is kids just started ordering shit willy nilly racking up charges


laffer1 t1_j26lhp6 wrote

The downside is that people expect it now from everyone. When you run a small open source project and folks try to hold you hostage to pay, it sucks. Plus a lot of folks do scans all the time hoping to find a vulnerability against your servers


EssVeeUU t1_j26o5ux wrote

Got a free Alexa from my grandma and wasn't a fan. Got the hub for $50 black Friday sale and the video monitor made a huge difference with our initial usage. Got the smart lights for $5 a piece for a different black Friday sale and it was a lifesaver for bed time with a chunky almost 1 year old and clingy almost 3 year old. However, they can barely talk so we have little concerns with purchases for the moment, but we also don't have any cards attached to the Google account, we just made a family one.


beebog t1_j26tedu wrote

i mean yeah but my smartphone is typically downstairs while my office is upstairs, it’s pretty much on my person only when im bored, talking to someone, or pooping lol. i generally try to minimize my screen time and the amount of electronics that are immediately accessible to me, more for my own mental health than any underlying paranoia. but that is a fair point, and my argument against it would be moreso geared towards minimizing opportunities for unsolicited access points in my personal space


daleus t1_j26uis7 wrote

not the person you asked, but someone in the same position - the answer is it depends on your use case.

I only have the audio devices so all I ever cast is spotify, the trick is to ask google to play something on spotify first and then open the app on your phone/tablet/whatever, which then connects to that session and acts like a cast/remote.


Sad-University-2332 t1_j26wwy0 wrote

Could of guessed that one. I don't have anything to hide, all your going to head is my girlfriend yelling at me for farting 200 times a day


Springfield2016 t1_j26y3ud wrote

That's why I don't use most remote speakers and have a VPN to at least slow the hacker down.


MrTonyBoloney t1_j2718gg wrote

Everyone says this, but if you think about it for more than a minute you realize it’s impractical and unrealistic

How exactly would it listen to you? Obviously they don’t listen LIVE to millions of devices. Store your every word into a database? That’s illegal wiretapping in most states and Google Legal wouldn’t fuck with that. Even if they did: what keywords would they look for, and how is any of that data any more useful to them than the data you willfully hand over? (e.g. Search queries, cross-site cookie tracking)

You should be more skeptical about real, scary data harvesting, not theoretical nonsense like this


aykay55 t1_j271qvn wrote

I think it’s reasonable to believe the only people hearing my requests is Google. And in this case, that is what is happening except the hacker reprogrammed my Google Home onto their account. The only thing that would change is that all my searches would be listed under the hacker’s account, giving the attacker access to my search history from that device alone and the voice recordings that are attached to the searches. If they’re lucky, they could maybe peek at what is playing on my Chromecast. They can’t actively listen whenever they want to. The article’s headline is incredibly misleading


xcebrian t1_j274spx wrote

This message brought to you by the FBI!


aykay55 t1_j2751m3 wrote

Thank you. I know well enough that it isn't listening 24/7, but I hadn't ever heard someone claim that the Google Home Mini physically cuts off access to the microphones when the switch is turned on. I'm happy to see Google built in this level of privacy to their device. Tbh, I was never really scared of smart speakers, I'm more suspicious of smart TVs that come with Alexa or Google Assistant support. Some of these TVs are already sold at a loss, and they don't have any physical shut-off switch for the microphones. And unplugging the TV is a physical chore that no one would bother doing. TVs continue to open their operating systems to third parties and some even offer access to the Play Store. And people don't usually prioritize updating their TVs to the latest software. So, that's a much bigger security hole for anyone that is concerned about being spied on than any smart speaker.


ImN0tAsian t1_j279uw3 wrote

Well, the bug-rewarding is in response to extortion via ransomware, so it goes both ways, sadly. I'd rather pay a smaller sum to reward white hats than risk losing an operation.


midgetman303 t1_j27ba84 wrote

In other breaking news: cigarettes are bad for your health, and drinking water improves your health


Kelemenopy t1_j27k2nm wrote

Anything with the ability to record and transmit data is a potential window into your life in the digital age, isn’t it? We’re up to our knees in Bentham’s panopticon. The trick is to accept it pragmatically without becoming paranoid.


vexeling t1_j27lg7i wrote

All they would hear is my bird screaming. It's his speaker. I play music for him in "his" room and that's it. 😂


select_L0L t1_j27pnes wrote

Here’s a thought: I don’t really care. I know some people do, but the whole idea of “you’re being spied on!!!” is so ridiculous

Unless you’ve done something illegal, the government doesn’t want to spy on you. Unless you’ve angered some international crime syndicate, black hat hackers don’t want to listen to you


_Rand_ t1_j27tyel wrote

Plus its not like they can do it secretly.

We can see what data is being sent/received per device if we want to or at least how much when its encrypted.

If google homes en-masse just opened up the floodgates and started sending data for no reason constantly someone would notice and we would know practically instantly. It would be a matter of days before security researchers were reporting the problem and virtually every major publication would be telling you to turn them off immediately.

If it were a thing that say the FBI was doing to individuals as they felt necessary for surveillance reasons well... they can do that already anyways via other devices. A google home isn't going to change things.


ssspiral t1_j27udpl wrote

correct me if i’m wrong but doesn’t this have more to do with the individuals wifi security rather than the device itself? or is there some kind of weakness they’re able to exploit in these?


PitfallPerry t1_j280jo8 wrote

The researcher outlines that the exploit uses deauth packets to get the device to enter setup mode because the attacker expressly does not have the Wi-Fi password. But it’s a fair question to ask.

“1. The attacker wishes to spy on the victim within wireless proximity of the Google Home (but does NOT have the victim's Wi-Fi password).”


twohubs t1_j282see wrote

My MIL was telling me that the Prime Rib was the easier meal to prepare on Xmas. My reply to her was it didn’t sound like it from the living room, as the FIL and MIL were arguing about how to season it.


GhostOfTimBrewster t1_j288gxk wrote

Honestly, the ease with which the majority of us have allowed listening devices connected to the Internet into our homes is shocking.


nicuramar t1_j288n5n wrote

The use of “allowed” in the headline is pretty misleading, IMO.


Cmdr_K9 t1_j28aolz wrote

Let's put aside the legal ramifications and talk practicality. Think about the sheer volume of data produced. Hours of audio per day, per device. Add that to what they already collect and even a tech giant like Google would have a hard time handling it. There's an entire school of thought dedicated to producing and handing over garbage data just to screw with anyone who looks at it.


mastodonj t1_j28fb68 wrote

Headline is a tad misleading. One reading is that hackers did in fact use Google home speakers to snoop on conversations. When what it is really saying is that there was a flaw that allowed hackers to snoop on conversations, had any of them known about it.

Two wildly different interpretations.


luckydwarf t1_j28lgix wrote

Make sure when you post your meth recipe to include a 10,000 word blog post that covers what it was like growing up, what meth meant to you as a child, how nothing can beat grandma's methcakes, etc. And I want ads. A LOT of ads. Make it almost impossible to navigate without having an aneurysm.


friendofoldman t1_j28m1np wrote

You’re assuming all the Google employees and contractors are ethical and respect googles own rules and regulations.

People are definitely nosy and will snoop. Tons of stories of employees leaking info they shouldn’t have accessed.

Public figures are usually targets of this. So at least they should be informed of the risk.

Also, let’s say your post pisses off the wrong incel who happens to be a contractor? He’ll back door to record your unguarded conversation. All it takes is an improperly thought out comment or joke to ruin a career of posted without the proper context.

I’ve been in IT for 30 years. A lot of the controls we have now are in place because people will snoop no matter how illegal it is.


ElvisArcher t1_j28p68z wrote

Just wait until they hear about cell phones!


Stalker401 t1_j28q1ux wrote

They hacked my Google Home and still don't know what I'm doing for dinner. if they have any suggestions they can Chime in.


ChalkDoxie t1_j28qg8p wrote

Also a pop up for the newsletter, then a pop up add, a pop up discount spinner, and a pop up text message for discount. Also video ads, that don’t load right, and continue to move the screen on your mobile browser up and down.


Not_floridaman t1_j28vcde wrote

Yes! We love it for cooking and the broadcast feature. Also, each night I have a family bell that chimes and my kids know that means it's bedtime.

The displays are also good for looking at the cameras/doorbell.

My husband thought they were wholly unnecessary but once we had one or two, he saw their usefulness and we got more. I love being able to move the music from speaker to speaker as I'm cleaning also.

Oh! And turning off lights and locking the door when I'm already in bed!

Okay, I just really love everything about it.

*^(not paid for by Google unfortunately)


Gravix-Gotcha t1_j28x9jy wrote

I tried getting down with IOT and automation. Had one of these and obviously the first thing I did was to try to use it as an alarm.

The next morning when it went off and I was bleary eyed trying to think of what command would shut it off, it just kept telling me to use the app so I unplugged it and haven’t use it since.


Not_floridaman t1_j28xhd2 wrote

We have 3 video hubs and 4 minis and it's amazing with kids. We have the family bell for bedtime and for mornings to put shoes on and grab their jackets because I'm usually running around so Google can get them started off I lose track of time, can pull up recipes easily, set timers for when they're fighting over a toy or for cooking, can send music from room to room while I'm cleaning and being and to turn off my lights or lock my front door by voice is incredible when my lupus and RA are flaring. I also like being able to see who's at the doorbell on the hubs or seeing the cameras. The hubs also have games and stories and my son LOVES the lightning McQueen interactive stories.

10/10 recommend for people with or without kids but especially with kids.


EssVeeUU t1_j28xrf4 wrote

.... I need to look into these lightning McQueen interactive stories. My son's going to TRIP. He keeps trying to play the fish feeding game but he can't talk good enough for Google yet 😂 Over time we are interested in the doorbell and speakers as well, and we have a second hub we haven't set up yet. How do you like the lock? Do you feel secure with it? Boyfriend is paranoid as fuckkk and that one might be the hardest sell for him.


redfoot0 t1_j28xyu0 wrote

"Hackers" meaning google themselves


travisfranklin t1_j2920su wrote

That's for the feds and nsa only seriously boundaries people 🤣


FliPhisher t1_j293m9i wrote

For me, the 'I have nothing to hide' argument doesn't get me to the point where I'm willing to allow a monitoring device in my home. It gives me the heevie jeevies and I have noticed over the years that I have started doing a little mental 'check' before I say something or when I'm singing to myself or being silly- 'who else is hearing this?'. It's not good for us as a species.


LordNoodles1 t1_j29b0lp wrote

How many farts and baby babbles do they want to hear?


Not_floridaman t1_j29gw1h wrote

The lightning McQueen is really fun! My son will sit there with it for 20-30 minutes!

As for the lock, yes I do. My husband is super paranoid but what sold him is that we can give it "guest codes" do they don't get our actual code and we can delete the guest codes as often as you need to so no one who shouldn't have access can't just walk in. My husband works weird hours sometimes coming home after midnight or gone overnight and I wasn't the best at remembering to lock the door so it's really, really nice not having to go back downstairs to lock the door if I forgot to until I had gotten into bed or he'll check when he's working and lock it for me (sounds creepier than it is lol, I'm just really forgetful and grew up in a house where we never locked the front door).