14 DAY TRIAL // The just-launched Google Home Hub smart display can be remotely controlled with no authentication via an undocumented API, as discovered by security researcher Jerry Gamblin.
Gamblin found the potential security issue affecting Google's Home Hub devices after scanning his own Hub with nmap once it was added to his network and, surprisingly, found a lot of ports open.
This led to the discovery of an undocumented control API inherited from Google's Chromecast devices which makes it possible to access multiple endpoints that allow a potential local attacker to run a multitude of commands, some of them dangerous and some only important for collecting information.
A more detailed view of all the possible commands one can use can be found in this full overview of the local API used by the Google Home app to communicate with the Google Home Hub device.
According to Google, the Google Home app can be used to configure Chromecast and Google Home devices, as well as control, organize, and manage thousands of compatible smart home devices.
As detailed by Gamblin in his report, Google's Home Hub can be remotely rebooted using an unauthenticated curl command and, even worse, have its currently configured network deleted which would immediately make the device unusable until a new one is set up.
Google's Home Hub smart display uses an undocumented API to communicate with the Home app, with no authentication mechanism in place
The researcher also discovered that, with a little scripting, users with access to the wireless network the Google Home Hub smart display runs on could mass reboot all such devices with a single curl command.
Google Home Hub devices on the same network can also have their wireless network settings cleared in batch mode using a maliciously crafted command, forcing the owner to manually reconfigure each of them.
"This looks like intended functionality as most of these calls are documented in the source code they have open sourced," Gamblin told Softpedia in an interview.
This is just the start of the story seeing that the researcher told us that he is still looking on what a malicious actor could do once he gets a foothold on a Google Home Hub's internal network.
Although being able to reboot or reset a Google Home Hub using the undocumented API requires one to be connected to the same wireless network, it's not that hard to imagine that with enough skill and some serious motivation a potential attacker would want/manage to do just that.
