Google has denied claims that its Home Hub is dangerously insecure after it was revealed that it’s easy to yank information off the smart home device.
Security researcher Jerry Gamblin shared a set of instructions that uses basic lines of XML to guide would-be hackers through how to suck data from the Home Hub and even brick it.
The hack can be carried out remotely and is apparently enabled thanks to the use of an undocumented and unsecured API.
Discussing Google’s stance on the flaw, how hackers can exploit it, and Gamblin’s own controversial means of revealing it, is Paul Bischoff, privacy advocate at Comparitech.
Paul Bischoff, Privacy Advocate at Comparitech:
“This argument essentially comes down to interpretation. The vulnerability that Gamblin found does indeed exist, but it can only be exploited by devices connected to the same Wi-Fi network as the Google Home Hub. This, Google says, is by design, to make it easier for mobile apps to connect and configure the device. So long as your Wi-Fi network is secure and doesn’t have any hackers on it, this is not a problem. However, plenty of people have poor security on their home Wi-Fi networks. Google can’t solve this problem on behalf of the user, but it could arguably guard against it.
The hack allows an attacker to do a few things: reboot the Hub, brick it (make it unusable until manually reset or reconfigured), disable notifications, reboot other Google Home devices on the network, and pull a bunch of information about the device, settings, and the network it’s connected to.
Security vulnerabilities uncovered by professional researchers and penetration testers are usually disclosed privately to the developer or manufacturer before being released to the public. The reason is that the vulnerabilities should be patched before hackers find out about it and start attacking users. It appears this was not the case with Gamblin, so I imagine there may be some issues regarding responsible disclosure. I found his closing statement to be a bit cynical and lack due diligence: “I usually would have worked directly with Google to report these issues if they had not previously disclosed, but due to the sheer amount of prior work online and committed code in their own codebase, it is obvious they know.”