The Google Home Hub, Google’s first foray into smart display has been generally lauded in reviews, including our own. Under a security review, however, the story may be a bit different, with one researcher claiming that the device’s security is “beyond dismal.” Google, of course, denies these claims.
The Google Home Hub doesn’t run on Android Things like the other Assistant Smart Displays such as the JBL Link View and the Lenovo Smart Display, but instead uses the Google Cast Platform. According to a recent interview, it seems the decision was made based on the company’s greater familiarity with the Cast Platform over Android Things.
This decision may have left the device open to some potential vulnerabilities, according to security researcher Jerry Gamblin. His research shows that the Home Hub can, in some ways, be controlled remotely using an unsecured API that was originally discovered for Chromecasts and Google Homes. Gamblin was able to turn this information to his advantage and use a command prompt to tell his Google Home Hub to reboot.
I have spent the last two evenings looking at the security of the new Google Home Hub, and it is beyond dismal. It allows near full remote unauthenticated control by an (undocumented) API. https://t.co/gsrLoLOtfy
— Jerry Gamblin (@JGamblin) October 30, 2018
Before we get too up in arms, however, we need to establish some context. The API in question here is used by the Google Home app to communicate with devices, and it seems there is very little the API can do that isn’t possible from the Google Home app. More importantly, this is not even the first time this “exploit” has made the news, having been at the center of a much more serious security flaw earlier this year that could reveal the precise location (down to the street address) of a Chromecast or Google Home device.
Since that previous exploit was discovered, Google closed the hole, but left the rest seemingly untouched. Intrepid hackers and researchers like Rithvik Vibhu have poked and prodded at the remaining API, to the point of thoroughly documenting it.
These facts were backed up by a statement from Google, given to Android Authority:
All Google Home devices are designed with user security and privacy top of mind and use a hardware-protected boot mechanism to ensure that only Google-authenticated code is used on the device. In addition, any communication carrying user information is authenticated and encrypted.
A recent claim about security on Google Home Hub is inaccurate. The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what’s been claimed, there is no evidence that user information is at risk.
There isn’t a clear verdict to be made here, as there are valid points on both sides. Google, for its part, claims the API is there for setting up the device and does not expose user information (anymore anyway), and this lines up with the facts we can see in the unofficial documentation.
However, Gamblin makes a very valid point in saying that this API could at least be authenticated, rather than left open. This would likely be a simple fix on Google’s end, but, given this isn’t the first time the company’s come under fire for this exposed API, this is unlikely to change any time soon.