So the device to control and secure one's home isn't secure. They why have it? Icon fits this revelation.
This one weird trick turns your Google Home Hub into a doorstop
A security researcher says an undocumented API in the Google Home Hub assistant can be exploited to kick the gizmo off its own wireless network. Flaw finder Jerry Gamblin says the API allows the device to receive commands from systems and handhelds sharing its local wireless network that can, among other things, reboot the …
COMMENTS
-
-
Thursday 1st November 2018 02:47 GMT john.jones.name
chromecast based
they used chromecast as the base which previously was just a screen rather than android as the base and this is what happens...
maybe just maybe they should have used android as the base which at least has been audited...
they could still update it to use the same codebase as android things...
-
-
Thursday 1st November 2018 01:03 GMT SVV
So the HomeHub has an undocumented API backdoor
Which can result in you being unable to unlock your actual back door. Or front door.
I think Google need to change their "legendary" recruitment process to stop asking questions like "If you were a balloon what colour would you be?" and start asking questions like "When you design an API for a device that secures your home, why should you not include a JSON parameter for the WPA Id with a value of 0 that let's you wipe the entire WiFi configuration?".
-
Thursday 1st November 2018 01:27 GMT Anonymous Coward
Re: So the HomeHub has an undocumented API backdoor
Quite right and go a bit further. Engineers should design against failure and not consider it a bit of a downside.
I am still putting together my IoT stuff at home and one of my requirements is that everything fails safe and has a manual control. So, for example, my home's underfloor heating is controllable via Home Assistant and via the thingies on the wall.
-
Thursday 1st November 2018 06:05 GMT jake
Re: So the HomeHub has an undocumented API backdoor
Don't be silly! Engineers had no input in the design of these things. The spec came directly from Marketing, and they needed it built yesterday because the adverts were already being aired. Any engineer who was foolish enough to say "but what about security?" or otherwise flag potential show-stoppers[0] is now watching blinkenlights in a remote data center.
[0] Well, what would have been show-stoppers in a more enlightened age.
-
-
-
Thursday 1st November 2018 15:19 GMT Jellied Eel
Re: So the HomeHub has an undocumented API backdoor
When I did my engineering degree, one first year project was working with a company that made pacemakers. So a fascinating introduction into how to design safety critical devices & much brainstorming to think of ways it could go wrong, and how to prevent it. And appropriately enough, it included some remote control/config capability to keep safe. And then discovering all the ways our body attacks foreign objects, even if their function is to preserve the host.
So Google kinda failed in designing this device, especially whoever signed off on that API.
-
Thursday 1st November 2018 15:33 GMT Jeffrey Nonken
Re: So the HomeHub has an undocumented API backdoor
"Is it Larry Page or Sergey Brin that are the single down votes of all the critical opinions in here?"
Well, it wasn't me. I'm a firmware developer with hardware roots and two generations of electrical engineers behind me -- IOW I'm not technically an engineer myself, no formal training or certification, but I have the mindset -- and all I've given are upvotes.
As an engineer wannabe and problem-solver, I'm aghast at the design and gobsmacked by the cavalier and dismissive attitude of Google's rep. "Oh, it's only vulnerable to anybody on your network. What could go wrong? You're just being alarmist."
-
-
-
Thursday 1st November 2018 02:09 GMT Arachnoid
Security PAH who needs stupid security
These devices all suffer from a complete lack of security in any form related to restricting access, as previously documented by the TV show that caused an Alexa device to order online products using the owners account. They could at least have some form of verbal access code when doing such things instead of just acknowledging whomever speaks out loud..
Alexa Open the front door!..........
-
-
Thursday 1st November 2018 08:11 GMT Rich 11
Re: Security PAH who needs stupid security
Alexa can understand my television. A few months ago I was listening to an American comedian doing a routine about white people in rural Montana when Alexa spoke up and said "Searching for white Mondeos" and presented me with a list of wing mirrors for sale on Amazon.
This is why I don't fear the AI-pocalypse. AI might crash a few cars or planes, but generally it's going to end up doing so much annoying little stuff that we'll give up and switch it all off. My tablet is now rarely left in the same room as the telly. I limit each room to just the single device capable of turning me into a lazy lardarse.
-
Thursday 1st November 2018 10:52 GMT Anonymous Coward
Re: Security PAH who needs stupid security
"Alexa can barely hear me when I'm standing next to it so I'm not worried that someone in the street can get themselves understood by it."
Sorry, Alexa's to busy listening to the other conversations that are happening to pay attention to you...
You're the only one home? It's listening to the neighbours?
You live in the country and your nearest neighbour is 5 miles away? It's still listening to the neighbours, it's mics are that sensitive...
-
-
-
-
-
Thursday 1st November 2018 11:15 GMT Teiwaz
Re: The usual IoT crap
Some of it is useful and secure. I agree most/all of the advertised consumer stuff totally isn't and I would never have any of that,
But it's not correct to say that all IoT stuff is insecure shit.
Perhaps the industrial grade/business focus stuff is better designed (perhaps).
But since most the stuff advertised and pushed like the answer to all of life's problems is badly designed, marketing-led data-gathering landfill rammed into any perceived gap in the market like an overused erotic entertainer.
If 99.99% of something is shit, the remainder can only be occasional bit of sweetcorn.
-
-
Thursday 1st November 2018 06:18 GMT Anonymous Coward
Google being rather disingenous
They excuse these bugs by saying that the attacker has to be on the same wifi network. How many bugs has 'Google Zero' found that are far more difficult to exploit? A bug is a bug, and getting onto their network is easy if they have a vulnerable router (which almost all consumer routers running the manufacturer firmware are) or you can get malware onto their PC (which is pretty easy to do via emailing them malware, or getting them to visit a particular URL that contains it)
This isn't a useless doodad like a network controllable light bulb, and could have some pretty serious consequences if (or should I say when) it is compromised if people are controlling a bunch of "smart home" features with it.
-
-
Thursday 1st November 2018 08:43 GMT Giovani Tapini
Re: Google being rather disingenous
My interpretation was that Google are saying its ok because its working as designed, rather than being a bug or vulnerability due to improper deployment.
I still don't see the point of them though. Voice control is fun for about 1 minute and then its a pain in the A$$ especially if you are living with, er, background noise...
-
-
-
Thursday 1st November 2018 14:32 GMT PM from Hell
Re: Google being rather disingenous
I use a set of wireless switched socket adaptors to control background lighting in a couple of rooms, they are both absolutely dumb and cost approximately £15 for 3 st Wilco's.
They have worked very well so far and have removed the requirement to ferret around behind furniture to turn lamps on and off.
-
-
-
-
-
Thursday 1st November 2018 06:29 GMT A.P. Veening
"Responsible" disclosure
Let's see how Google handles this disclosure of something they already have been aware of for a long time and which should have been patched within two weeks at most.
And no, I don't consider a statement that it is only exploitable from the same wifi network adequate handling.
-
Thursday 1st November 2018 09:23 GMT Christian Berger
Well it's probably the Google brain drain
In the image of potential employees Google used to be a company supported by ads doing cool stuff. Now it seems that image shifts more and more to a company doing mundane stuff to shift more ads.
The result is that more and more of the smart people are leaving the company, leaving behind the "not so smart" people. Eventually this will mean that the average competence of the people inside the company is considerably lower than the average competence of new hires, as the "smart" ones will leave quickly while the "dumb" ones stay behind.
Eventually you are left with a company of people who are bad at what they are doing. Add the inability of those people to take any criticism and you are probably at where Google is now.
Google rarely produces "Cool stuff" any more, their Android is just as bad as any other mobile operating system, lacking a simple core design idea like all truely successful software works have.
Even their AI developments are more or less a few new ideas applied to insane amounts of CPU power.
-
-
Friday 2nd November 2018 09:09 GMT Christian Berger
Re: Well it's probably the Google brain drain
"It's not 'just as bad' - in ways that matter (security/privacy) it's orders of magnitude worse."
Compared to what? None of the mobile operating systems out there are any good for security and privacy. It's like comparing the tasty how tasty different kinds of industrial waste are. Sure the one coming from the sewage works might be tastier than the one comming from your lead mine, but both are not suitable for human consumption.
-
-
-
Thursday 1st November 2018 09:44 GMT Timmy B
2 simple questions that should have been asked in the design meetings:
Is there a way of proving that the request came from the app?
Is there any kind of way of encrypting messages between the app and the home?
Good grief - it's not rocket science! You don't even need to be technical to ask those things.
-
Thursday 1st November 2018 15:30 GMT Cannister
I used to work for a Home Automation company. I can tell you for certain that the "proving the request came from the app" option was most likely purposefully turned off / not considered. Home Automation servers rely on access to devices with HTTP interfaces (e.g. Rokus, Philips Hue bridges, NVRs, HDMI Matrices, etc) in order to integrate them. Not many provide an "authentication" step, to prove to the IoT device that the command from outside is 'legit'. Some do, but not many... It's horses for courses - the tighter the security, the harder it is to integrate with a larger Home Automation system. The looser the security, the more vulnerable it is to outside attack. The trick is to find a happy medium.....
-
Thursday 1st November 2018 13:32 GMT steviebuk
I can't get this through to my partner
No matter how many times I tell her why IoT are shit security wise. She won't listen. She's an Apple fan, so somewhat explains it but has been with me for years banging on about IT security & sometimes actually listens. Its her house too, so I've had to give in with the fucking Dyson fan being on the network. I really need to sort out setting up a VLAN (once I learn how) so the fucking IoT shit she thinks we need can all be on their on VLAN. (a camera based door bell was the recent suggestion)
Speaking of that, I really should look at disconnecting the Clever Dog cameras we have. They are bollocks. God knows what they are looking at while on the network. I haven't sat down with wireshark to watch them yet. Read their T&C and they essentially say "If our cameras have security issues or our servers ever get hacked, then it's not our fault". They are only slightly amusing to confuse the cat and my partner uses it to wake me up when I fall asleep on the sofa and finds it very funny.
I haven't tried but I suspect you can hook the cameras up to your network so they are visible on your account but then give them to someone else to put on their network. But then still see the video feed as they are still connected to your account. I might be wrong, it might not work, but as they register using the MAC address I'm thinking that exploit might work.