Security researcher Jeremy Gamblin discovered a way to brick Google Home Hub by exploiting an ‘undocumented (and amazingly unsecured)’ API. He managed to reboot the device, delete its Wifi network, and disable notifications. Google refutes this security flaw, saying the API mentioned is used by mobile apps to configure the device and only accessible if the device and apps are on the same WiFi network. ‘Despite what’s been claimed, there is no evidence that user information is at risk.’
- Should Google add protections from malicious actors even if exploits are difficult?
- Is gaining access to a password-secured WiFi network authentication enough?
A security researcher discovered a series of commands that could be used to brick the Google Home Hub. According to Jeremy Gamblin, it’s possible to exploit a “undocumented (and amazingly unsecured)” API. It can be used to force the device to reboot or reveal data about a victim’s network.
Gamblin wrote in a blog post that after he purchased the Google Home Hub and set it up in his home, he noticed a number of open ports being used by the device. Curiosity got the best of him, and he started using the command prompt on his computer to text the smart display’s security. What he found was that it’s possible to force a reboot with a single line of code. After a bit more playing around, Gamblin was able to delete the Google Home Hub’s WiFi network, disable notifications and just generally be a pest.
For its part, Google seems far less concerned about the perceived security flaw than Gamblin. “A recent claim about security on Google Home Hub is inaccurate,” a spokesperson for Google told Engadget. “The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what’s been claimed, there is no evidence that user information is at risk.”