So the device to control and secure one's home isn't secure. They why have it? Icon fits this revelation.
This one weird trick turns your Google Home Hub into a doorstop
A security researcher says an undocumented API in the Google Home Hub assistant can be exploited to kick the gizmo off its own wireless network. Flaw finder Jerry Gamblin says the API allows the device to receive commands from systems and handhelds sharing its local wireless network that can, among other things, reboot the …
COMMENTS
-
-
Thursday 1st November 2018 02:47 GMT john.jones.name
chromecast based
they used chromecast as the base which previously was just a screen rather than android as the base and this is what happens...
maybe just maybe they should have used android as the base which at least has been audited...
they could still update it to use the same codebase as android things...
-
-
Thursday 1st November 2018 01:03 GMT SVV
So the HomeHub has an undocumented API backdoor
Which can result in you being unable to unlock your actual back door. Or front door.
I think Google need to change their "legendary" recruitment process to stop asking questions like "If you were a balloon what colour would you be?" and start asking questions like "When you design an API for a device that secures your home, why should you not include a JSON parameter for the WPA Id with a value of 0 that let's you wipe the entire WiFi configuration?".
-
Thursday 1st November 2018 01:27 GMT Anonymous Coward
Re: So the HomeHub has an undocumented API backdoor
Quite right and go a bit further. Engineers should design against failure and not consider it a bit of a downside.
I am still putting together my IoT stuff at home and one of my requirements is that everything fails safe and has a manual control. So, for example, my home's underfloor heating is controllable via Home Assistant and via the thingies on the wall.
-
Thursday 1st November 2018 06:05 GMT jake
Re: So the HomeHub has an undocumented API backdoor
Don't be silly! Engineers had no input in the design of these things. The spec came directly from Marketing, and they needed it built yesterday because the adverts were already being aired. Any engineer who was foolish enough to say "but what about security?" or otherwise flag potential show-stoppers[0] is now watching blinkenlights in a remote data center.
[0] Well, what would have been show-stoppers in a more enlightened age.
-
-
-
Thursday 1st November 2018 15:19 GMT Jellied Eel
Re: So the HomeHub has an undocumented API backdoor
When I did my engineering degree, one first year project was working with a company that made pacemakers. So a fascinating introduction into how to design safety critical devices & much brainstorming to think of ways it could go wrong, and how to prevent it. And appropriately enough, it included some remote control/config capability to keep safe. And then discovering all the ways our body attacks foreign objects, even if their function is to preserve the host.
So Google kinda failed in designing this device, especially whoever signed off on that API.
-
Thursday 1st November 2018 15:33 GMT Jeffrey Nonken
Re: So the HomeHub has an undocumented API backdoor
"Is it Larry Page or Sergey Brin that are the single down votes of all the critical opinions in here?"
Well, it wasn't me. I'm a firmware developer with hardware roots and two generations of electrical engineers behind me -- IOW I'm not technically an engineer myself, no formal training or certification, but I have the mindset -- and all I've given are upvotes.
As an engineer wannabe and problem-solver, I'm aghast at the design and gobsmacked by the cavalier and dismissive attitude of Google's rep. "Oh, it's only vulnerable to anybody on your network. What could go wrong? You're just being alarmist."
-
-
-
Thursday 1st November 2018 02:09 GMT Arachnoid
Security PAH who needs stupid security
These devices all suffer from a complete lack of security in any form related to restricting access, as previously documented by the TV show that caused an Alexa device to order online products using the owners account. They could at least have some form of verbal access code when doing such things instead of just acknowledging whomever speaks out loud..
Alexa Open the front door!..........
-
-
Thursday 1st November 2018 08:11 GMT Rich 11
Re: Security PAH who needs stupid security
Alexa can understand my television. A few months ago I was listening to an American comedian doing a routine about white people in rural Montana when Alexa spoke up and said "Searching for white Mondeos" and presented me with a list of wing mirrors for sale on Amazon.
This is why I don't fear the AI-pocalypse. AI might crash a few cars or planes, but generally it's going to end up doing so much annoying little stuff that we'll give up and switch it all off. My tablet is now rarely left in the same room as the telly. I limit each room to just the single device capable of turning me into a lazy lardarse.
-
Thursday 1st November 2018 10:52 GMT Anonymous Coward
Re: Security PAH who needs stupid security
"Alexa can barely hear me when I'm standing next to it so I'm not worried that someone in the street can get themselves understood by it."
Sorry, Alexa's to busy listening to the other conversations that are happening to pay attention to you...
You're the only one home? It's listening to the neighbours?
You live in the country and your nearest neighbour is 5 miles away? It's still listening to the neighbours, it's mics are that sensitive...
-
-
-
-
-
Thursday 1st November 2018 11:15 GMT Teiwaz
Re: The usual IoT crap
Some of it is useful and secure. I agree most/all of the advertised consumer stuff totally isn't and I would never have any of that,
But it's not correct to say that all IoT stuff is insecure shit.
Perhaps the industrial grade/business focus stuff is better designed (perhaps).
But since most the stuff advertised and pushed like the answer to all of life's problems is badly designed, marketing-led data-gathering landfill rammed into any perceived gap in the market like an overused erotic entertainer.
If 99.99% of something is shit, the remainder can only be occasional bit of sweetcorn.
-
-
Thursday 1st November 2018 06:18 GMT Anonymous Coward
Google being rather disingenous
They excuse these bugs by saying that the attacker has to be on the same wifi network. How many bugs has 'Google Zero' found that are far more difficult to exploit? A bug is a bug, and getting onto their network is easy if they have a vulnerable router (which almost all consumer routers running the manufacturer firmware are) or you can get malware onto their PC (which is pretty easy to do via emailing them malware, or getting them to visit a particular URL that contains it)
This isn't a useless doodad like a network controllable light bulb, and could have some pretty serious consequences if (or should I say when) it is compromised if people are controlling a bunch of "smart home" features with it.
-
-
Thursday 1st November 2018 08:43 GMT Giovani Tapini
Re: Google being rather disingenous
My interpretation was that Google are saying its ok because its working as designed, rather than being a bug or vulnerability due to improper deployment.
I still don't see the point of them though. Voice control is fun for about 1 minute and then its a pain in the A$$ especially if you are living with, er, background noise...
-
-
-
Thursday 1st November 2018 14:32 GMT PM from Hell
Re: Google being rather disingenous
I use a set of wireless switched socket adaptors to control background lighting in a couple of rooms, they are both absolutely dumb and cost approximately £15 for 3 st Wilco's.
They have worked very well so far and have removed the requirement to ferret around behind furniture to turn lamps on and off.
-
-
-
-
-
Thursday 1st November 2018 06:29 GMT A.P. Veening
"Responsible" disclosure
Let's see how Google handles this disclosure of something they already have been aware of for a long time and which should have been patched within two weeks at most.
And no, I don't consider a statement that it is only exploitable from the same wifi network adequate handling.
-
Thursday 1st November 2018 09:23 GMT Christian Berger
Well it's probably the Google brain drain
In the image of potential employees Google used to be a company supported by ads doing cool stuff. Now it seems that image shifts more and more to a company doing mundane stuff to shift more ads.
The result is that more and more of the smart people are leaving the company, leaving behind the "not so smart" people. Eventually this will mean that the average competence of the people inside the company is considerably lower than the average competence of new hires, as the "smart" ones will leave quickly while the "dumb" ones stay behind.
Eventually you are left with a company of people who are bad at what they are doing. Add the inability of those people to take any criticism and you are probably at where Google is now.
Google rarely produces "Cool stuff" any more, their Android is just as bad as any other mobile operating system, lacking a simple core design idea like all truely successful software works have.
Even their AI developments are more or less a few new ideas applied to insane amounts of CPU power.
-
-
Friday 2nd November 2018 09:09 GMT Christian Berger
Re: Well it's probably the Google brain drain
"It's not 'just as bad' - in ways that matter (security/privacy) it's orders of magnitude worse."
Compared to what? None of the mobile operating systems out there are any good for security and privacy. It's like comparing the tasty how tasty different kinds of industrial waste are. Sure the one coming from the sewage works might be tastier than the one comming from your lead mine, but both are not suitable for human consumption.
-
-
-
Thursday 1st November 2018 09:44 GMT Timmy B
2 simple questions that should have been asked in the design meetings:
Is there a way of proving that the request came from the app?
Is there any kind of way of encrypting messages between the app and the home?
Good grief - it's not rocket science! You don't even need to be technical to ask those things.
-
Thursday 1st November 2018 15:30 GMT Cannister
I used to work for a Home Automation company. I can tell you for certain that the "proving the request came from the app" option was most likely purposefully turned off / not considered. Home Automation servers rely on access to devices with HTTP interfaces (e.g. Rokus, Philips Hue bridges, NVRs, HDMI Matrices, etc) in order to integrate them. Not many provide an "authentication" step, to prove to the IoT device that the command from outside is 'legit'. Some do, but not many... It's horses for courses - the tighter the security, the harder it is to integrate with a larger Home Automation system. The looser the security, the more vulnerable it is to outside attack. The trick is to find a happy medium.....
-
Thursday 1st November 2018 13:32 GMT steviebuk
I can't get this through to my partner
No matter how many times I tell her why IoT are shit security wise. She won't listen. She's an Apple fan, so somewhat explains it but has been with me for years banging on about IT security & sometimes actually listens. Its her house too, so I've had to give in with the fucking Dyson fan being on the network. I really need to sort out setting up a VLAN (once I learn how) so the fucking IoT shit she thinks we need can all be on their on VLAN. (a camera based door bell was the recent suggestion)
Speaking of that, I really should look at disconnecting the Clever Dog cameras we have. They are bollocks. God knows what they are looking at while on the network. I haven't sat down with wireshark to watch them yet. Read their T&C and they essentially say "If our cameras have security issues or our servers ever get hacked, then it's not our fault". They are only slightly amusing to confuse the cat and my partner uses it to wake me up when I fall asleep on the sofa and finds it very funny.
I haven't tried but I suspect you can hook the cameras up to your network so they are visible on your account but then give them to someone else to put on their network. But then still see the video feed as they are still connected to your account. I might be wrong, it might not work, but as they register using the MAC address I'm thinking that exploit might work.
-
Thursday 1st November 2018 19:11 GMT chit.chat
Backdoor?
I mean it's a pretty new device, so there are a lot of flaws, pretty sure it would be running just fine after a few updates. In one side i'm happy cause I purchased the Lenovo display(google assistant) and got a bigger screen, more features, better speakers, but in the other black Friday is coming up, and would love to get myself a hub. Dilemma...Dilemma
-
Thursday 1st November 2018 19:37 GMT martinusher
So you can kick the device off the network...
I'm probably in a minority when I say "So What?". I'd rather that commands that went to the device without authentication were read-only and (obviously) didn't read sensitive information but provided these commands can't actually do anything they're just a curiosity. After all, the vast majority of people won't be able to hack into a secured network and of those a relatively small subset will be familiar with shell commands like awk.
All these commands do is run scripts in a setup directory. So far the researcher has discovered a couple, they look like the sort of thing that might be used when updating software. Running them would be a nuisance but not a disaster -- what would be a disaster is if you could load your own script or run an action command or two. For me, the real problem is using a web type interface as a command interface, its klunky and inefficient but everyone's doing it because its what they're used to and the alternatives would require learning new techniques.
-
Friday 2nd November 2018 01:40 GMT Anonymous Coward
El Reg Fake News Press
So the malicious software has to target this, meaning it has to know I have a home hub, then it has to find it on my network... oh.. and I have to HAVE the malicious software in the first place on one of my computers / devices / etc.... And the reward for the author of the malicious software is... NOTHING.
RegTards meet TrumpTurds. You guys are all a bunch of effin' morons. Heading back now to the real world...
-
Friday 2nd November 2018 21:49 GMT DerekCurrie
Google Project Zero vs Google Project FacePlant
Shame, shame. Why is this consistently the case?
Google's Project Zero is to be thanked for finding security flaws in software throughout the computer community.
Google's own software and platforms are to be cursed for constantly being found to be riddled with security flaws, not by Project Zero but by third party researchers. Android, as a platform, is of course the worst of all.
WTF is Google's problem?
• Is this a company culture problem? 'Don't you dare penetration test my precious software!'
• Is this laziness? 'Here at Google, we don't have the time or money to test our own software!'
• Is this stupidity? ''Marketing says we should make other company's software look bad, that way we'll look good.'
My impression: Stay away from Google software. It's not that Google has any corner on bad programming. Security flaws are the plight of nearly all programming at this point in time. Instead, Google appears to use Project Zero as an umbrella to shade itself from having to take its own inevitable security flaws seriously, until they're shamed.
Consider this a contribution to Google shaming.