Imagine if someone was listening in to conversations taking place in your home. You certainly would feel vulnerable. A researcher named Matt Kunze discovered that hackers can be spying on you and your family via a Google Home smart speaker. According to BleepingComputer (via AndroidCentral), Kunze was messing around with a Nest Mini when he discovered that a rogue or “backdoor” account could be created using the Google Home app. That account could then be used to control the smart speaker giving a bad actor access to the microphone feed and other features of the device remotely.
Kunze received $107,500 from Google for discovering this vulnerability which turned the Google Nest Mini from a smart speaker into a device able to snoop on the user’s conversations and more. The rogue account can be used to control the smart speaker by sending it commands remotely via the cloud API (application programming interface). The API allows two or more computer programs to communicate.
The information needed to hack the Nest Mini would include the name of the device, the certificate, and the Cloud ID. With this info, the hacker can send a request to Google’s server requesting a link to the smart speaker allowing the device to be used to make online transactions, control smart appliances, unlock the front door, and more. The hacker could also have the speaker call his phone allowing him to listen in to a conversation taking place around the home using the speaker’s microphone.
The researcher was able to make this happen by creating a malicious routine that included the “call [phone number]” command. This activated the microphone at a specified time, calling the attacker’s phone (as we mentioned in the above paragraph) allowing him to listen in via the microphone on the smart speaker. Kunze recorded a video showing how the Nest Mini’s microphone can send conversations to a smartphone, which in this case would be in the possession of the bad actor.
The issue was discovered by Kunze in January 2021 and Google fixed it in April 2021. Anyone running the latest firmware should not be concerned with this issue.