back to article This one weird trick turns your Google Home Hub into a doorstop

A security researcher says an undocumented API in the Google Home Hub assistant can be exploited to kick the gizmo off its own wireless network. Flaw finder Jerry Gamblin says the API allows the device to receive commands from systems and handhelds sharing its local wireless network that can, among other things, reboot the …

  1. Mark 85 Silver badge
    Facepalm

    So the device to control and secure one's home isn't secure. They why have it? Icon fits this revelation.

    1. john.jones.name
      Holmes

      chromecast based

      they used chromecast as the base which previously was just a screen rather than android as the base and this is what happens...

      maybe just maybe they should have used android as the base which at least has been audited...

      they could still update it to use the same codebase as android things...

      1. Argh

        Re: chromecast based

        Android Things has significantly higher hardware requirements. I don't believe the Google Home Hub meets these requirements, which is why it's cheaper than the other Google smart displays.

        1. ratfox Silver badge

          Re: chromecast based

          The Chromecast allows anybody who is on the same wifi network to give it orders. If you give your wifi password to guests, they can set what music is playing.

          For a Chromecast, it's a feature. For a home hub?

  2. SVV Silver badge

    So the HomeHub has an undocumented API backdoor

    Which can result in you being unable to unlock your actual back door. Or front door.

    I think Google need to change their "legendary" recruitment process to stop asking questions like "If you were a balloon what colour would you be?" and start asking questions like "When you design an API for a device that secures your home, why should you not include a JSON parameter for the WPA Id with a value of 0 that let's you wipe the entire WiFi configuration?".

    1. gerdesj Silver badge

      Re: So the HomeHub has an undocumented API backdoor

      Quite right and go a bit further. Engineers should design against failure and not consider it a bit of a downside.

      I am still putting together my IoT stuff at home and one of my requirements is that everything fails safe and has a manual control. So, for example, my home's underfloor heating is controllable via Home Assistant and via the thingies on the wall.

      1. jake Silver badge

        Re: So the HomeHub has an undocumented API backdoor

        Don't be silly! Engineers had no input in the design of these things. The spec came directly from Marketing, and they needed it built yesterday because the adverts were already being aired. Any engineer who was foolish enough to say "but what about security?" or otherwise flag potential show-stoppers[0] is now watching blinkenlights in a remote data center.

        [0] Well, what would have been show-stoppers in a more enlightened age.

    2. EJ

      Re: So the HomeHub has an undocumented API backdoor

      Is it Larry Page or Sergey Brin that are the single down votes of all the critical opinions in here?

      1. Jellied Eel Silver badge

        Re: So the HomeHub has an undocumented API backdoor

        When I did my engineering degree, one first year project was working with a company that made pacemakers. So a fascinating introduction into how to design safety critical devices & much brainstorming to think of ways it could go wrong, and how to prevent it. And appropriately enough, it included some remote control/config capability to keep safe. And then discovering all the ways our body attacks foreign objects, even if their function is to preserve the host.

        So Google kinda failed in designing this device, especially whoever signed off on that API.

      2. Jeffrey Nonken Silver badge

        Re: So the HomeHub has an undocumented API backdoor

        "Is it Larry Page or Sergey Brin that are the single down votes of all the critical opinions in here?"

        Well, it wasn't me. I'm a firmware developer with hardware roots and two generations of electrical engineers behind me -- IOW I'm not technically an engineer myself, no formal training or certification, but I have the mindset -- and all I've given are upvotes.

        As an engineer wannabe and problem-solver, I'm aghast at the design and gobsmacked by the cavalier and dismissive attitude of Google's rep. "Oh, it's only vulnerable to anybody on your network. What could go wrong? You're just being alarmist."

      3. WolfFan Silver badge

        Page or Brin?

        Both. They’re too bloody cheap to get more than one account, and are too arrogant to realise that accounts are free, so they share one.

  3. Youngone Silver badge

    Shocked! Shocked I tell you!

    "I am genuinely shocked by how poor the overall security of these devices are...

    Why?

    Nobody else is.

  4. Arachnoid

    Security PAH who needs stupid security

    These devices all suffer from a complete lack of security in any form related to restricting access, as previously documented by the TV show that caused an Alexa device to order online products using the owners account. They could at least have some form of verbal access code when doing such things instead of just acknowledging whomever speaks out loud..

    Alexa Open the front door!..........

    1. disk iops

      Drive-by robbery with a megaphone

      I can see it now, cruise down the street with a loudspeaker with your buddy trying doors as "Alexa open the door" blares...

      1. onefang Silver badge

        Re: Drive-by robbery with a megaphone

        A whole new form of wardriving.

    2. Thrud61

      Re: Security PAH who needs stupid security

      Alexa has both a big "don't do voice purchases switch" and a "set a voice access code for purchases".

      Alexa can barely hear me when I'm standing next to it so I'm not worried that someone in the street can get themselves understood by it.

      1. Rich 11 Silver badge

        Re: Security PAH who needs stupid security

        Alexa can understand my television. A few months ago I was listening to an American comedian doing a routine about white people in rural Montana when Alexa spoke up and said "Searching for white Mondeos" and presented me with a list of wing mirrors for sale on Amazon.

        This is why I don't fear the AI-pocalypse. AI might crash a few cars or planes, but generally it's going to end up doing so much annoying little stuff that we'll give up and switch it all off. My tablet is now rarely left in the same room as the telly. I limit each room to just the single device capable of turning me into a lazy lardarse.

        1. Christopher Rogers

          Re: Security PAH who needs stupid security

          Ahhhh but thats what the AI wants you to think.....

      2. Anonymous Coward
        Anonymous Coward

        Re: Security PAH who needs stupid security

        "Alexa can barely hear me when I'm standing next to it so I'm not worried that someone in the street can get themselves understood by it."

        Sorry, Alexa's to busy listening to the other conversations that are happening to pay attention to you...

        You're the only one home? It's listening to the neighbours?

        You live in the country and your nearest neighbour is 5 miles away? It's still listening to the neighbours, it's mics are that sensitive...

    3. ACcc

      Alexa Open the front door!..........

      I'm sorry Dave, I'm afraid I can't do that

  5. Anonymous Coward
    Anonymous Coward

    The usual IoT crap

    This is why you will never find any of this IoT shit in my house.

    Overpriced, under developed, badly designed and insecure garbage which in the vast majority of cases is a solution for a problem which doesn't actually exist.

    1. The Man Who Fell To Earth Silver badge
      Black Helicopters

      Re: The usual IoT crap

      At the very least, put it all on it's own VLAN that has nothing important on it like your computers.

    2. jb99

      Re: The usual IoT crap

      Hmm,

      Some of it is useful and secure. I agree most/all of the advertised consumer stuff totally isn't and I would never have any of that,

      But it's not correct to say that all IoT stuff is insecure shit.

      It's probably a good assumption to take by default though.

      1. Teiwaz Silver badge

        Re: The usual IoT crap

        Some of it is useful and secure. I agree most/all of the advertised consumer stuff totally isn't and I would never have any of that,

        But it's not correct to say that all IoT stuff is insecure shit.

        Perhaps the industrial grade/business focus stuff is better designed (perhaps).

        But since most the stuff advertised and pushed like the answer to all of life's problems is badly designed, marketing-led data-gathering landfill rammed into any perceived gap in the market like an overused erotic entertainer.

        If 99.99% of something is shit, the remainder can only be occasional bit of sweetcorn.

        1. Joe Montana

          Re: The usual IoT crap

          The industrial stuff tends to be better tested for reliability, but in terms of security it can be as bad if not worse. Also despite being horrendously expensive, a lot of this stuff uses the same cheap generic chinese electronics as the consumer stuff.

        2. Anonymous Coward
          Anonymous Coward

          Re: The usual IoT crap

          I work with industrial IOT. Good thing I wasn't drinking anything when I read that.

  6. DougS Silver badge

    Google being rather disingenous

    They excuse these bugs by saying that the attacker has to be on the same wifi network. How many bugs has 'Google Zero' found that are far more difficult to exploit? A bug is a bug, and getting onto their network is easy if they have a vulnerable router (which almost all consumer routers running the manufacturer firmware are) or you can get malware onto their PC (which is pretty easy to do via emailing them malware, or getting them to visit a particular URL that contains it)

    This isn't a useless doodad like a network controllable light bulb, and could have some pretty serious consequences if (or should I say when) it is compromised if people are controlling a bunch of "smart home" features with it.

    1. Dan 55 Silver badge

      Re: Google being rather disingenous

      Project Zero seems to be more concerned with the specks of sawdust in others' eyes rather than the plank in its own.

      1. Giovani Tapini

        Re: Google being rather disingenous

        My interpretation was that Google are saying its ok because its working as designed, rather than being a bug or vulnerability due to improper deployment.

        I still don't see the point of them though. Voice control is fun for about 1 minute and then its a pain in the A$$ especially if you are living with, er, background noise...

        1. jake Silver badge

          Re: Google being rather disingenous

          Yes, it is working as designed.

          Unfortunately, the designer clearly had no clue about system security.

          1. A.P. Veening

            Re: Google being rather disingenous

            Yes, it is working as designed.

            Unfortunately, it isn't working as desired (by security conscious users).

        2. Joe Harrison Silver badge

          Re: Google being rather disingenous

          Home automation does not necessarily equal voice control. Wi-fi switches are actually really useful in some circumstances, especially for people who live in a rented place and can't drill holes and run wires.

          1. PM from Hell

            Re: Google being rather disingenous

            I use a set of wireless switched socket adaptors to control background lighting in a couple of rooms, they are both absolutely dumb and cost approximately £15 for 3 st Wilco's.

            They have worked very well so far and have removed the requirement to ferret around behind furniture to turn lamps on and off.

          2. zip119

            Re: Google being rather disingenous

            Wouldn't Bluetooth connectivity for in-home controls be just as useful for renters, and not vulnerable to the public internet?

    2. vmy2197

      Re: Google being rather disingenous

      On the same WiFi network? You mean like a malware infected WiFi router?

      https://www.tomsguide.com/us/russian-router-malware,news-27288.html

  7. A.P. Veening

    "Responsible" disclosure

    Let's see how Google handles this disclosure of something they already have been aware of for a long time and which should have been patched within two weeks at most.

    And no, I don't consider a statement that it is only exploitable from the same wifi network adequate handling.

  8. John Smith 19 Gold badge
    FAIL

    No one knows it'sthere --> no one can exploit it.

    Yup, security by obscurity strikes again.

    And again.

    And again.

  9. Christian Berger Silver badge

    Well it's probably the Google brain drain

    In the image of potential employees Google used to be a company supported by ads doing cool stuff. Now it seems that image shifts more and more to a company doing mundane stuff to shift more ads.

    The result is that more and more of the smart people are leaving the company, leaving behind the "not so smart" people. Eventually this will mean that the average competence of the people inside the company is considerably lower than the average competence of new hires, as the "smart" ones will leave quickly while the "dumb" ones stay behind.

    Eventually you are left with a company of people who are bad at what they are doing. Add the inability of those people to take any criticism and you are probably at where Google is now.

    Google rarely produces "Cool stuff" any more, their Android is just as bad as any other mobile operating system, lacking a simple core design idea like all truely successful software works have.

    Even their AI developments are more or less a few new ideas applied to insane amounts of CPU power.

    1. Lord Elpuss Silver badge

      Re: Well it's probably the Google brain drain

      "their Android is just as bad as any other mobile operating system"

      It's not 'just as bad' - in ways that matter (security/privacy) it's orders of magnitude worse.

      1. Christian Berger Silver badge

        Re: Well it's probably the Google brain drain

        "It's not 'just as bad' - in ways that matter (security/privacy) it's orders of magnitude worse."

        Compared to what? None of the mobile operating systems out there are any good for security and privacy. It's like comparing the tasty how tasty different kinds of industrial waste are. Sure the one coming from the sewage works might be tastier than the one comming from your lead mine, but both are not suitable for human consumption.

  10. Timmy B Silver badge

    2 simple questions that should have been asked in the design meetings:

    Is there a way of proving that the request came from the app?

    Is there any kind of way of encrypting messages between the app and the home?

    Good grief - it's not rocket science! You don't even need to be technical to ask those things.

    1. A.P. Veening

      No need to be technical

      "You don't even need to be technical to ask those things."

      But you do need something called common sense, something decidedly lacking in both managers and sales droids.

    2. Cannister

      I used to work for a Home Automation company. I can tell you for certain that the "proving the request came from the app" option was most likely purposefully turned off / not considered. Home Automation servers rely on access to devices with HTTP interfaces (e.g. Rokus, Philips Hue bridges, NVRs, HDMI Matrices, etc) in order to integrate them. Not many provide an "authentication" step, to prove to the IoT device that the command from outside is 'legit'. Some do, but not many... It's horses for courses - the tighter the security, the harder it is to integrate with a larger Home Automation system. The looser the security, the more vulnerable it is to outside attack. The trick is to find a happy medium.....

  11. Loyal Commenter Silver badge

    The most significant words in this article:

    without any authentication.

    Quite frankly, I should think that's a sackable offence for at least one person at Google.

  12. adam payne Silver badge

    My Mrs looked into these and really wanted one, she still can't figure out why I said not a chance.

  13. steviebuk Silver badge

    I can't get this through to my partner

    No matter how many times I tell her why IoT are shit security wise. She won't listen. She's an Apple fan, so somewhat explains it but has been with me for years banging on about IT security & sometimes actually listens. Its her house too, so I've had to give in with the fucking Dyson fan being on the network. I really need to sort out setting up a VLAN (once I learn how) so the fucking IoT shit she thinks we need can all be on their on VLAN. (a camera based door bell was the recent suggestion)

    Speaking of that, I really should look at disconnecting the Clever Dog cameras we have. They are bollocks. God knows what they are looking at while on the network. I haven't sat down with wireshark to watch them yet. Read their T&C and they essentially say "If our cameras have security issues or our servers ever get hacked, then it's not our fault". They are only slightly amusing to confuse the cat and my partner uses it to wake me up when I fall asleep on the sofa and finds it very funny.

    I haven't tried but I suspect you can hook the cameras up to your network so they are visible on your account but then give them to someone else to put on their network. But then still see the video feed as they are still connected to your account. I might be wrong, it might not work, but as they register using the MAC address I'm thinking that exploit might work.

  14. myhandler

    Plus one for the headline

    Beats cling film for wrinkles

  15. Dabooka Silver badge

    This is bad news, bad news indeed.

    I mean if we can't trust Google, who can we?

    1. jake Silver badge

      Re: This is bad news, bad news indeed.

      I trust quite a few folks. None of them are multi-national advertising aggregators with revenue in the billions.

      1. Dabooka Silver badge

        Re: This is bad news, bad news indeed.

        Yeah, I was kinda taking the piss there my friend

  16. chit.chat

    Backdoor?

    I mean it's a pretty new device, so there are a lot of flaws, pretty sure it would be running just fine after a few updates. In one side i'm happy cause I purchased the Lenovo display(google assistant) and got a bigger screen, more features, better speakers, but in the other black Friday is coming up, and would love to get myself a hub. Dilemma...Dilemma

  17. martinusher Silver badge

    So you can kick the device off the network...

    I'm probably in a minority when I say "So What?". I'd rather that commands that went to the device without authentication were read-only and (obviously) didn't read sensitive information but provided these commands can't actually do anything they're just a curiosity. After all, the vast majority of people won't be able to hack into a secured network and of those a relatively small subset will be familiar with shell commands like awk.

    All these commands do is run scripts in a setup directory. So far the researcher has discovered a couple, they look like the sort of thing that might be used when updating software. Running them would be a nuisance but not a disaster -- what would be a disaster is if you could load your own script or run an action command or two. For me, the real problem is using a web type interface as a command interface, its klunky and inefficient but everyone's doing it because its what they're used to and the alternatives would require learning new techniques.

  18. joekhul

    El Reg Fake News Press

    So the malicious software has to target this, meaning it has to know I have a home hub, then it has to find it on my network... oh.. and I have to HAVE the malicious software in the first place on one of my computers / devices / etc.... And the reward for the author of the malicious software is... NOTHING.

    RegTards meet TrumpTurds. You guys are all a bunch of effin' morons. Heading back now to the real world...

    1. Snorlax Silver badge
      FAIL

      Re: El Reg Fake News Press

      @joekhul:"And the reward for the author of the malicious software is... NOTHING."

      Some people, like you, are just assholes and get a warm feeling from pissing people off.

      Some things aren't about the money.

  19. Claptrap314 Bronze badge

    And when he says, "they already knew about it"

    Apparently he missed the TIGF when a Noogler Rickrolled us with it. Yeah, Google already knows.

  20. DerekCurrie
    WTF?

    Google Project Zero vs Google Project FacePlant

    Shame, shame. Why is this consistently the case?

    Google's Project Zero is to be thanked for finding security flaws in software throughout the computer community.

    Google's own software and platforms are to be cursed for constantly being found to be riddled with security flaws, not by Project Zero but by third party researchers. Android, as a platform, is of course the worst of all.

    WTF is Google's problem?

    • Is this a company culture problem? 'Don't you dare penetration test my precious software!'

    • Is this laziness? 'Here at Google, we don't have the time or money to test our own software!'

    • Is this stupidity? ''Marketing says we should make other company's software look bad, that way we'll look good.'

    My impression: Stay away from Google software. It's not that Google has any corner on bad programming. Security flaws are the plight of nearly all programming at this point in time. Instead, Google appears to use Project Zero as an umbrella to shade itself from having to take its own inevitable security flaws seriously, until they're shamed.

    Consider this a contribution to Google shaming.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019