Google has pushed back against claims its new Home Hub smart display poses a security risk to users.
A security researcher claimed the device is “beyond dismal” when it comes to protecting the privacy of early adopters. Independent security advocate Jerry Gamblin says the device is wide open to bad actors, and it appears Google’s choice to use Cast tech over Android Things is the culprit.
He says the Home Hub make use of an undocumented and unsecured API that enables a third-party to take “near full remote unauthenticated control” of the device.
In a blog post, Gamblin explained how he was easily able to execute code to force an unauthorised reboot of the device, delete the registered wireless networks and disable all notifications. He says the flaw in the API could enable third-parties to commandeer the device.
Related: Google Home Hub vs Amazon Echo Show
In the blog post (via 9to5Google) he wrote: “I am genuinely shocked by how poor the overall security of these devices are, even more so when you see that these endpoints have been known for years and relatively well documented.”
I am not an IOT security expert, but I am pretty sure an unauthenticated curl statement should not be able to reboot the @madebygoogle home hub. pic.twitter.com/gCWFm5Ofyb
— Jerry Gamblin (@JGamblin) October 27, 2018
Google has been quick to respond to the accusations, in a statement issued to Android Authority. It says the claim is inaccurate and says the API in question pertains to the mobile apps used to configure Home devices, and requires the devices are on the same wireless network.
The company says: “All Google Home devices are designed with user security and privacy top of mind and use a hardware-protected boot mechanism to ensure that only Google-authenticated code is used on the device. In addition, any communication carrying user information is authenticated and encrypted.
“A recent claim about security on Google Home Hub is inaccurate. The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what’s been claimed, there is no evidence that user information is at risk.”
Are you happy to have a device like the Amazon Echo or Google Home in your home? Or do you worry about the privacy implications? Drop us a line @TrustedReviews on Twitter.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
