Can You Hear Me Now?

We buy smart speakers and scatter them everywhere — living room, dining room, kitchen, bedrooms — how cool! So, our homes have speakers with built-in microphones, always-on internet connections, and lord knows how many lines of code. What could possibly go wrong?

Alexa, Siri, Hey Google — you know the line-up. These speakers are pretty clever (but not nearly as clever as ChatGPT) and millions of copies have been sold around the world. The underlying technology (most of it in the cloud) is vastly complicated and of course complexity breeds opportunity for nefarious behavior. What could possibly go wrong? Well, a lot can go wrong.

As with many software companies, Google offers a reward to anyone who finds security bugs in their software products. Security sleuth Matt Kunze, playing around with his own Google Home (Nest) speaker, found a whopping big bug. He discovered that hackers could remotely install a backdoor in Google smart speakers and command them to do all sorts of things, including accessing the microphone to eavesdrop on the owner. Oops. When Kunze alerted Google to the problem in March 2021, they verified its existence and wrote him a check for $107,500.

The attack methodology wasn't all that difficult. A hacker had to be within wireless proximity of the speaker, but didn't need access to the Wi-Fi account it was connected to. The hacker could identify the speaker, obtain its credentials, access the speaker's setup mode, install a different account, then re-connect it to the user's Wi-Fi. After that, the hacker could access the speaker via a phone call to the speaker. The hacker could unlock Google-controlled home and vehicle locks, play music, control appliances, read and write files, make online transactions, and do everything a Google speaker could do, including telling the speaker to call the hacker's phone so they could listen through the speaker's microphone.

There was only one indication that something villainous was occurring: the blue light on the speaker would light to show that the speaker was activated. If the owner didn't notice that, or perhaps assumed that the speaker was updating or something, the hack would go undetected.

After Kunze discovered the bug, Google updated its speaker software with an invitation-only system that (hopefully) defeats the ability to remotely add an account and thus blocks unauthorized use. The setup also now requires a QR code to log on; at least in theory, a hacker would need physical access to the speaker. If you are a Google speaker user, this article has some general user tips and although is it somewhat dated, this article provides some security tips.

That security loophole has apparently been closed. But, I'll simply repeat the opening question: Our homes have speakers with built-in microphones, always-on internet connections, and lord knows how many lines of code. What could possibly go wrong?

X