Google Home Smart Speakers Permit Hackers to Tune in Chats

Recently, a researcher discovered that a bug in Google Home smart speakers allowed hackers to install a backdoor account. It could be used remotely as a snooping device by accessing the microphone feed.

Earlier this week, the prober published technical details about his findings alongside an attack scenario. It aims to show how the flaw could be leveraged.

While experimenting with his Google Home mini speaker, the investigator found that new accounts added through the Home app could send commands remotely via the cloud API.

Further, he found the device’s port for the local HTTP API using a Nmap scan and set up a proxy to catch the encrypted HTTPS traffic. This trick was made to snatch the user authorization token.

By doing so, he discovered that adding a new user to the earmarked gadget is a two-step process that needs the device name, certificate, and “cloud ID” from its local API. Using this information, hackers could send a link request to the Google server.

Hence, the proof of concept took things a step further from just situating a rogue user and enabling spying using the microphone. This method makes arbitrary HTTP requests on the victim’s network and reads or writes haphazard files on the device.

Chrome to Block Insecure HTTP Downloads on Samsung Phones

Generally, Google Chrome on Samsung or another Android phone marks insecure HTTP websites as “not secure” in the address bar.

Now, the company unveiled a new toggle that can be found inside security settings. By turning on “Always use secure connections”, Chrome would be forced to connect to the HTTPS version of the website. In context, URLs with HTTPS websites are secured compared to HTTP.

This new feature comes in handy in situations when a user accidentally navigates an unsecured version of a particular website.

In cases wherein no secure version is available, a warning message will pop up if the user would like to continue navigating insecurely.