From the article: A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed.

A researcher discovered the issue and received $107,500 for responsibly reporting it to Google last year. Earlier this week, the researcher published technical details about the finding and an attack scenario to show how the flaw could be leveraged.

While experimenting with his own Google Home mini speaker, the researcher discovered that new accounts added using the Google Home app could send commands to it remotely via the cloud API.

Using a Nmap scan, the researcher found the port for the local HTTP API of Google Home, so he set up a proxy to capture the encrypted HTTPS traffic, hoping to snatch the user authorization token.

[removed]

I’m powerfully uncomfortable with the Internet of things for this reason. When the big boys like Samsung TVs and Google Homes are so vulnerable, why would I be able to trust a small startup? They probably have to use off the shelf parts like OpenSSH that open the door for HeartBleed etc, and they can’t afford the security staff that Google can.

God I wish I had something to say that was interesting enough to be worth snooping on.

Well then they probably heard me cussing at rocket league and telling me dogs they are good boys

[removed]

Fly eagles flyyyyyy!!! E! A! G! L! E! S! Eagles!!!! Go birdzzzz!!!!!

Ok so somewhat on topic, but really more just a question for someone else that has "good boys". Do you ever hear Google responding when you ask your dog "Who's a good boy?" or just even "Good boy."? I'll be talking to my dog and from out of left field Google will tell me "Sorry I don't understand."

I AIN'T EVEN TALKING TO YOU, GOOGLE!

OpenSSH is fine long as it is patched, and is a common used software, a lot of IOT's are build so cheap they only can get updates for a few years before they break. also them being a black box does not help.

water is wet!

Ours is in our bathroom…poor hackers lol

Old - they patched it

Community question: How many microphones do you have in your home?

For me, it’s six, I think. Three smartphones, two laptops, and the landline.

I have an 8 year old. I hope they like fart jokes, cause that's what they're going to hear at my house.

The speaker doesn't understand "what you're saying" - it listens for key vocal frequencies that more or less come together to form the expected phrase "Ok, Google" - Assuming you have not fully voice trained your Assistant, it has to fuzz its listening expectations, as it doesn't know your specific voice frequencies that correlate with "Ok, Google".

What you end up with is a system that's listening very broadly for something that sounds like "Ok Google" and with the amount of fuzzing needed to capture that, "good boy" can come close enough on key frequencies to match up with "okay" and then any further speech might match up with a fuzzed expectation of "google".

Think about it, some people repeat phrases to their dogs a few times, "Who's a g__OO__d bo__Y__? wh__OO__'s A good boy?" (cap'd and bolded for fuzzy syllables probably recognized)

The title reads worse than it is. The account with access needs to add other accounts for the vulnerability to be leveraged.

I believe you to be absolutely correct in your assessment.

Google fixed all problems in April 2021.

Always scroll down to the end of these "sky is falling" tech stories.

Shocking. Imagine being one of the dickheads using things like this and Alexa.

"who'S A GOOd boy" sounds a lot like "HEY GOOgle"

Your saying that if the thing that snoops on your conversations is hacked they would snoop on your conversations??

"Anything useful from the wire today?”

"Nah, just more trumpet practice."

Luckily though the initial vulnerability requires the attacker to be within wireless range of the Google Home before they can use it remotely.

few days ago. I've had the google hub reset and set up with a different google account. I still had control over it with the previous account from a phone. I wonder if this is correlated somehow.

"Yes mr. police officer, they stole my bitcoin through my speaker"

You want them to use off-the-shelf solutions. Never roll your own security.

I run a cybersecurity company that helps companies with exactly this type of thing.

So many companies we talk to simply say “yeah that’s not in the budget unless a customer/government tells us it’s mandatory.

About 10-20% do it anyway.

Hard to tell which is which as a customer.

OH MY GOD NO WAY WHO COULD’VE PREDICTED THIS?!

MICROPHONES IN OUR HOMES THAT WE CANT CONTROL?

WHO WOULD’VE THOUGH THAT THOSE COULD BE EXPLOITED?!

WOOOOOOOOOOW!

So not a problem anymore = never was a problem?

No way!! Shocking. Internet connected device with Mic and/or Cameras being used for snooping.

Sometimes I'd like to time travel a 1980s Stasi agent to right now and just see their jaw drop.

Is "allowed" the best word here?? If a rapist shoots you and rapes your wife did you allow it to happen? Perhaps "Criminals were able to hack Google home speakers to snoop on conversations?"

Downvoted.1. an old story, 2. Mislead title.

[removed]