Product reviews, deals and the latest tech news

Your conversations could have been secretly recorded using Google Home speakers

A security researcher has claimed that certain Google Home smart speakers may have been compromised, allowing an attacker direct access to the device and the ability to eavesdrop on users’ chats.

Matt Kunze, a security researcher, found the flaw and reported it to Google, earning him a prize of $107,500.

While checking his own Google Home small speaker for vulnerabilities, Kunze discovered a method to create another Google account, which would be enough to enable eavesdropping. He detailed this discovery in a blog post.

Including suspicious profiles

To begin, the attacker must be in close wireless range to the device and actively listen for Media Access Control (MAC) addresses beginning with a Google-affiliated prefix.

The next step is to send deauth packets, which force the device off of network access and into setup mode. In the setup phase, they ask for information about the device, then use that data to associate the device with their account. Now they can spy on the gadget’s users remotely via the internet without needing to be in range of the WiFi.

There is more at stake than “simply” overhearing discussions, however. Many people who have purchased a smart home speaker have also connected it to other smart home devices, such as smart locks and smart light switches. The researcher also figured out how to exploit the “call phone number” command in order to make the device contact the attacker at a predetermined time while also streaming live audio.

After discovering the flaw in early 2021, Google fixed it in April 2022 by implementing a new invite-based mechanism for account linkage and permanently disabling access to Home for users whose accounts had not been connected.

To eliminate any potential security issues, Google Home owners should upgrade the endpoint’s firmware to the most recent version as soon as feasible.