Security advocate Jerry Gamblin has discovered code loopholes that can threaten Google Home’s security.
Google Home Hub was launched as the company aims to compete with Amazon‘s Alexa. Hub is basically an Android tablet connected to a speaker, which can serve as an in-room Google Assistant. Visually, it looks similar to the Echo Show — though some early reviews have said it lacks the aesthetic sleekness of the Show — or the more recently announced Facebook Portal device. The Google Home Hub will be slightly more colorful than it’s competition (with a speaker base in pink, white, grey and green), but with a seven-inch screen, as opposed to the new Show’s 10-inch screen.
“For life at home, we designed a smart display so you can hear and see the info you need, and manage your connected home from a single screen,” noted Rick Osterloh, Google’s SVP of hardware.
Hub connects to Wi-Fi, receives video and photos from other devices (and broadcasts its pin), and accepts commands remotely, including a quick reboot via the command line.
“I was surprised to see so many ports open, so I started to do some research and found that these devices have an undocumented (and amazingly unsecured) API,” wrote Gamblin in a blog post. “After spending 15 or 20 minutes looking, I found that you can reboot the Hub with [an] unauthenticated curl command.”
Gamblin went on to explain that a number of additional one-liners expose further data, including a number of micro services. Though none of the loopholes are serious, they are cause for concern.
“I am genuinely shocked by how poor the overall security of these devices are, even more so when you see that these endpoints have been known for years and relatively well-documented,” wrote Gamblin. “I usually would have worked directly with Google to report these issues if they had not previously disclosed, but due to the sheer amount of prior work online and committed code in their own codebase, it is obvious they know.”