====================================================================
Published: 26 December 2022
Tags: http, infosec
Matt Kunze describes his discovery of security issues with the Google Home smart speaker that allowed an attacker within wireless proximity to install a “backdoor” account on the device, enabling them to send commands to it remotely over the Internet, access its microphone feed, and make arbitrary HTTP requests within the victim’s LAN.
Some highlights:
- Google Home’s architecture is based on Chromecast, which doesn't have need for very good security
- Although many researchers have looked into the security of this devices, they mostly missed the subtlety of the account linking vulnerability
- More devices, more problems