Submitted by chrisdh79 t3_zy89wr in technology
Comments
ZaNobeyA t1_j26b8wo wrote
few days ago. I've had the google hub reset and set up with a different google account. I still had control over it with the previous account from a phone. I wonder if this is correlated somehow.
One-Weather-740 t1_j26lego wrote
"Yes mr. police officer, they stole my bitcoin through my speaker"
[deleted] t1_j24svn4 wrote
[removed]
majorgeneralpanic t1_j24enzd wrote
I’m powerfully uncomfortable with the Internet of things for this reason. When the big boys like Samsung TVs and Google Homes are so vulnerable, why would I be able to trust a small startup? They probably have to use off the shelf parts like OpenSSH that open the door for HeartBleed etc, and they can’t afford the security staff that Google can.
HardwareRaidIsDead t1_j24zabv wrote
OpenSSH is fine long as it is patched, and is a common used software, a lot of IOT's are build so cheap they only can get updates for a few years before they break. also them being a black box does not help.
ManyInterests t1_j270hu6 wrote
You want them to use off-the-shelf solutions. Never roll your own security.
Dont____Panic t1_j279wqg wrote
I run a cybersecurity company that helps companies with exactly this type of thing.
So many companies we talk to simply say “yeah that’s not in the budget unless a customer/government tells us it’s mandatory.
About 10-20% do it anyway.
Hard to tell which is which as a customer.
Clean-Ad-8872 t1_j253jq3 wrote
Ours is in our bathroom…poor hackers lol
StinkyS t1_j25qrl8 wrote
"Anything useful from the wire today?”
"Nah, just more trumpet practice."
QkaHNk4O7b5xW6O5i4zG t1_j25bequ wrote
The title reads worse than it is. The account with access needs to add other accounts for the vulnerability to be leveraged.
contributes_n0thing t1_j25d37b wrote
Google fixed all problems in April 2021.
Always scroll down to the end of these "sky is falling" tech stories.
a_white_american_guy t1_j27c32y wrote
So not a problem anymore = never was a problem?
halfanothersdozen t1_j24i9d3 wrote
Well then they probably heard me cussing at rocket league and telling me dogs they are good boys
WoodBoogerSpork t1_j24yqgf wrote
Ok so somewhat on topic, but really more just a question for someone else that has "good boys". Do you ever hear Google responding when you ask your dog "Who's a good boy?" or just even "Good boy."? I'll be talking to my dog and from out of left field Google will tell me "Sorry I don't understand."
I AIN'T EVEN TALKING TO YOU, GOOGLE!
reichbc t1_j259qtw wrote
The speaker doesn't understand "what you're saying" - it listens for key vocal frequencies that more or less come together to form the expected phrase "Ok, Google" - Assuming you have not fully voice trained your Assistant, it has to fuzz its listening expectations, as it doesn't know your specific voice frequencies that correlate with "Ok, Google".
What you end up with is a system that's listening very broadly for something that sounds like "Ok Google" and with the amount of fuzzing needed to capture that, "good boy" can come close enough on key frequencies to match up with "okay" and then any further speech might match up with a fuzzed expectation of "google".
Think about it, some people repeat phrases to their dogs a few times, "Who's a g__OO__d bo__Y__? wh__OO__'s A good boy?" (cap'd and bolded for fuzzy syllables probably recognized)
WoodBoogerSpork t1_j25buxs wrote
I believe you to be absolutely correct in your assessment.
IAmGrum t1_j25ic9t wrote
"who'S A GOOd boy" sounds a lot like "HEY GOOgle"
OfficeChairHero t1_j257qul wrote
I have an 8 year old. I hope they like fart jokes, cause that's what they're going to hear at my house.
microgiant t1_j24f44x wrote
God I wish I had something to say that was interesting enough to be worth snooping on.
iotic t1_j253m1r wrote
Old - they patched it
Theman00011 t1_j25uajh wrote
Luckily though the initial vulnerability requires the attacker to be within wireless range of the Google Home before they can use it remotely.
golden918 t1_j25kefi wrote
Your saying that if the thing that snoops on your conversations is hacked they would snoop on your conversations??
PhoibosApollo2018 t1_j27pdcn wrote
No way!! Shocking. Internet connected device with Mic and/or Cameras being used for snooping.
xxoahu t1_j286s57 wrote
Is "allowed" the best word here?? If a rapist shoots you and rapes your wife did you allow it to happen? Perhaps "Criminals were able to hack Google home speakers to snoop on conversations?"
Fastest_light t1_j28j8dv wrote
Downvoted.1. an old story, 2. Mislead title.
[deleted] t1_j24b62s wrote
[removed]
Zagrebian t1_j256bns wrote
Community question: How many microphones do you have in your home?
For me, it’s six, I think. Three smartphones, two laptops, and the landline.
Adorable-Slip2260 t1_j25hxsr wrote
Shocking. Imagine being one of the dickheads using things like this and Alexa.
[deleted] t1_j2927d0 wrote
[removed]
a_white_american_guy t1_j27bzud wrote
OH MY GOD NO WAY WHO COULD’VE PREDICTED THIS?!
MICROPHONES IN OUR HOMES THAT WE CANT CONTROL?
WHO WOULD’VE THOUGH THAT THOSE COULD BE EXPLOITED?!
WOOOOOOOOOOW!
SpecificAstronaut69 t1_j27prr9 wrote
Sometimes I'd like to time travel a 1980s Stasi agent to right now and just see their jaw drop.
fred1445 t1_j2534uq wrote
water is wet!
watwatinjoemamasbutt t1_j24th6d wrote
Fly eagles flyyyyyy!!! E! A! G! L! E! S! Eagles!!!! Go birdzzzz!!!!!
chrisdh79 OP t1_j249z9f wrote
From the article: A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed.
A researcher discovered the issue and received $107,500 for responsibly reporting it to Google last year. Earlier this week, the researcher published technical details about the finding and an attack scenario to show how the flaw could be leveraged.
While experimenting with his own Google Home mini speaker, the researcher discovered that new accounts added using the Google Home app could send commands to it remotely via the cloud API.
Using a Nmap scan, the researcher found the port for the local HTTP API of Google Home, so he set up a proxy to capture the encrypted HTTPS traffic, hoping to snatch the user authorization token.