Security researcher Jerry Gamblin revealed how a few lines of codes written in XML for Google Home Hub can be used to gain access to user data. It can exploit an undocumented and unsecured API and force the device to reboot or reveal data.
Gamblin wrote in a blog post that he found a number of open ports being used by the device. Out of sheer curiosity, he opened the command prompt on his computer to test the Google Home’s Hub security.
I have spent the last two evenings looking at the security of the new Google Home Hub, and it is beyond dismal. It allows near full remote unauthenticated control by an (undocumented) API. https://t.co/gsrLoLOtfy
— Jerry Gamblin (@JGamblin) October 30, 2018
What he found was quite shocking as it’s possible to force Home Hub to reboot with a single line of code. After tinkering with some more codes, Gamblin was able to delete Google Home Hub’s currently configured WiFi networks, disable notifications and basically just mess around with it.
But Google doesn’t seem concerned about it as their spokesperson told Engadget the APIs mentioned by Gamblin are “used by mobile apps to configure the device”.
They are only “accessible when those apps and the Google Home device are on the same Wi-Fi network.” The spokesperson also added that “despite what’s been claimed, there is no evidence that user information is at risk.”
Although the attacker must be connected to the same network as the Google Home Hub they are targeting. But Google should come up with other forms of authentication to prevent people with malicious intent from executing such codes.