An undocumented API in Google home devices is easily exploitable

guest · Oct 30, 2018

An undocumented API in Google home devices is easily exploitable
October 29, 2018
https://jerrygamblin.com/2018/10/29/google-home-insecurity/

I have always been a fan of Google Products, so when they announced the Google Home Hub, I ordered one.

Once I got the Hub on my network I scanned it [...] I was surprised to see so many ports open so I started to do some research and found that these devicies have an undocumented (and amazingly unsecured) API

After spending 15 or 20 minutes looking I found that you can reboot the hub with this unauthenticated curl command:

curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot
Technical Deep Dive
I am going to dive directly into sharing some of the commands I have found and the output and will end by showing how a bad actor could use this API. [...]
Click to expand...

Closing Thoughts
I am genuinely shocked by how poor the overall security of these devices are, even more so when you see that these endpoints have been known for years and relatively well documented.
Click to expand...

guest · Oct 31, 2018

‘No evidence user information at risk’ says Google regarding Home Hub security
October 30, 2018
https://www.androidauthority.com/google-home-hub-security-920291/

Yesterday, Jerry Gamblin published an article on his personal blog detailing several security vulnerabilities he found in his new Google Home Hub. Although the article is incredibly technical with hundreds of lines of code, even a layman can tell Gamblin thinks the Google Home Hub is very insecure.

However, Android Authority reached out to Google directly for a comment on the allegations Mr. Gamblin makes. This is the response we received from a Google spokesperson, reprinted in full:

[...] The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what’s been claimed, there is no evidence that user information is at risk.”
It seems Google is saying that although Gamblin’s security code snippets are legitimate, he’s neglecting to point out that only devices connected to the same network as the Google Home Hub — i.e., your home network — could cause these things to happen.
Click to expand...

Log in or Sign up

An undocumented API in Google home devices is easily exploitable

guest Guest

guest Guest

Log in or Sign up

An undocumented API in Google home devices is easily exploitable

guest Guest

guest Guest

Useful Searches