A security researcher has won a $107,500 bug bounty after discovering a way in which hackers could install a backdoor on Google Home devices to seize control of their microphones, and secretly spy upon their owners’ conversations.

Vulnerability hunter Matt Kunze initially reported the problem to Google in early 2021, after experiments with his own Google Home smart speaker noticed the ease with which it added new users via the Google Home app.

Kunze discovered that connected users could send commands remotely to paired Google Home devices via its cloud API.

In a technical blog post, Kunze described a possible attack scenario:

1. Attacker wishes to spy on victim. Attacker can get within wireless proximity of the Google Home (but does NOT have the victim’s Wi-Fi password).
2. Attacker discovers victim’s Google Home by listening for MAC addresses with prefixes associated with Google Inc. (e.g. E4:F0:42).
3. Attacker sends deauth packets to disconnect the device from its network and make it enter setup mode.
4. Attacker connects to the device’s setup network and requests its device info.
5. Attacker connects to the internet and uses the obtained device info to link their account to the victim’s device.
6. Attacker can now spy on the victim through their Google Home over the internet (no need to be within proximity of the device anymore).

According to Kunze, a malicious hacker who has successfully linked his account to the targeted Google Home device can now execute commands remotely: controlling smart switches, making purchases online, remotely unlock doors and vehicles, or opening smart locks by brute-forcing a user’s PIN.

Kunze even determined that he could exploit a Google Home speaker’s “call <phone number>” command, effectively transmitting everything picked up by its microphone to a phone number of the hacker’s choice.

Thankfully, Kunze’s responsible disclosure of the vulnerabilities to Google mean that none of the security flaws should be possible to exploit any more.  Google fixed the security holes in April 2021, although details have only been made public now.

Of course, that does mean that for some years millions of people were…