Google Home Hub is secure, says Google, despite insecurity claims

By JC Torres/Oct. 30, 2018 8:53 pm EST

When you have a connected device that's at the center of your home, both literally and figuratively, it can be frightening to imagine what the consequences would be if such device were compromised to gain access to the rest of your home. That might be the inherent risk of a smart home future if the hubs that become their command center become security liabilities instead. For one hacker, that is exactly the case with the Google Home Hub. Google, however, is unsurprisingly refuting the claims.

Considering how smart speakers and smart displays are positioned to be C&C of smart homes, it's hard to resist the temptation to hack into them to gain access to the rest of the connected home. Or at least to see just how easy or hard it is to compromise the rest of the house's security through a single entry point. Or in this case, point of failure.

Hacker Jerry Gamblin just wrote a blog post and a series of tweets detailing how the new Google Home Hub, the version of the Home speaker series with a face, is actually quite easy to hack into and get full remote unauthenticated control through undocumented APIs. He demonstrates how relatively trivial it was, at least for a seasoned hacker, to cause the Home Hub to reboot remotely.

I am not an IOT security expert, but I am pretty sure an unauthenticated curl statement should not be able to reboot the @madebygoogle home hub. pic.twitter.com/gCWFm5Ofyb

— Jerry Gamblin (@JGamblin) October 27, 2018

For its part, Google's response given to Android Authority is practically saying that Gamblin is practically crying wolf. The APIs are, in fact, working as intended but are only effective if the attacking device is on the same network as the Home Hub. But if that were the case, then the compromised user has a lot more to worry about than just a hacked Home Hub. Here's the statement in full:

"All Google Home devices are designed with user security and privacy top of mind and use a hardware-protected boot mechanism to ensure that only Google-authenticated code is used on the device. In addition, any communication carrying user information is authenticated and encrypted. A recent claim about security on Google Home Hub is inaccurate. The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what's been claimed, there is no evidence that user information is at risk."

So while Google downplays the risk of this discovered vulnerability, some might argue that it's still a potential exploit, whether or not there is evidence of risk at this point. With a critical piece of a connected home, one probably shouldn't take any risks at all.