What seems to be an unsolicited effort can be a way to make things better. For the Google Home Hub and the rest of the Google Home products, the recent discovery that it’s not as secure may be helpful. Developer and a self-confessed security advocate Jerry Gamblin was happy to receive his new Google Home Hub only to be disappointed to see an undocumented API in the device. It’s not uncommon but Google should know better that it can be easily exploited.
People who are OC about Google and Android’s security won’t take such lightly so there must be a way to fix the problem. Apparently, Gamblin made a gamble by scanning the network. His search returned and showed numerous ports open that shouldn’t be seen.
Gamblin further tested the system and tried rebooting the hub with some command. As shown in the video, it is possible especially since it’s an unauthenticated curl command.
I am not an IOT security expert, but I am pretty sure an unauthenticated curl statement should not be able to reboot the @madebygoogle home hub. pic.twitter.com/gCWFm5Ofyb
— Jerry Gamblin (@JGamblin) October 27, 2018
He shared his experiment on Twitter and his thoughts on Google’s poor security measures. It should be something that must be dealt with since millions of people store their data and private stuff on Google’s database.
Google knows the situation and has already shared a response with Android Authority:
“All Google Home devices are designed with user security and privacy top of mind and use a hardware-protected boot mechanism to ensure that only Google-authenticated code is used on the device. In addition, any communication carrying user information is authenticated and encrypted. A recent claim about security on Google Home Hub is inaccurate. The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what’s been claimed, there is no evidence that user information is at risk.”
The tech giant denies the allegation and says it is “inaccurate”. The APIs mentioned are from other mobile apps. There is a possibility the home network is not secure. It could be one reason but to be safe, make sure you check the Google Home Hub’ security. Check your home network too if it’s safe and secure.
VIA: JerryGamblin, Android Authority
