Full Report
Google Home is a suite of products for around the house automation. While using the device, they noticed how seamless adding users was. Additionally, the set of automated routines, that can be ran remotely, made the linking process look like a fruitful target. First, they decided to use a proxy to look at the web traffic of the device. This took some shenanigans in order to intercept on the phone, such as adding the mitmproxy as a root CA and bypass the certificate pinning using a Frida script. They then observed the linking process via the web traffic, seeing a request made to /deviceuserlinksbatch. The request was using protobuf, a binary format made by Google. The linking process was made up of two requests: Get the devices' info through the local API. Send a link request to the Google server alongside this information. The author reimplemented everything in Python for their own sanity. Manually recreating the protobuf binary from scratch would have been very annoying. they found a script for calling Google Cloud APIs and another that did the whole Android Google login process. With the authentication and protobuf setup, they could make craft their own requests. It should be noted for testing protobufs, there is an assumption that both users have a .proto file that defines types and names. The requests themselves don't have types (so they must be guessed) and don't have names associated with them. The author made a request with this and it magically worked! There was no authorization check on whether an account had access to a particular Google Home device. Now, an attacker could link their own account to the Google Home app with ease. What can an attacker actually do with this though? This is where the article goes off the rails! First, they considered the different avenues of controls devices in the house, such as opening garage doors and other things, which was originally detailed here. While scrolling through the actions on the device, they noticed a call command. If the device could be tricked into calling a phone number, then the audio would be completely required in the routine. Spy capabilities unlocked! While trying to escalate the damage, they found an article from Dan Petro from 2014. This article mentions that when a Chromecast loses connection, it will go into a setup mode. By forcing the device to deauth with specific WiFi frames in close proximity, we can make a local API request to get the Cloud ID and certificate of the device. While reading docs, they author noticed the Local Home SDK for creating Smart home actions on the device. Even though this has docs to directly access the LAN, the device tries to restrict by only allowing connections to devices that pass a scan. However, when the app is in a development mode, the Chrome Devtools Protocol (CDP) is open on the device, which is a remote version of Chrome DevTools. Using this, we can access the standard JS API to make arbitrary requests on the LAN, read and write files, likely leading to RCE. With this finding and set of exploit chains, the author contacted Google. The author was rewarded with a 100K bounty, after initially getting hit with this being intended functionality. Google did a few things to patch these issues: You must request an invite to the 'Home' that the device is registered to in order to link your account to it through the /deviceuserlinksbatch API. Call commands cannot be invoked remotely anymore. Although the deauth attack still works, this cannot be used to link an account. This prevents the attack from occurring since we cannot get an auth token for the device now. Overall, excellent technical findings! It was really cool to see the bug and the exploits that were possible from it. I wish the article was more focused though; it seemed like their were a lot of unnecessary details, making it hard to figure out what to focus on.
Analysis Summary
# Vulnerability: Google Home Remote Access and Microphone Hijack (Account Linking Bypass)
## CVE Details
- **CVE ID**: N/A (Google assigned a bug tracking ID, but a public CVE was not formally issued for this specific chain at the time of the report).
- **CVSS Score**: Estimated 8.1 (High)
- **CWE**: CWE-285 (Improper Authorization), CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products**: Google Home Smart Speakers (confirmed on Google Home Mini / "Mushroom" 1st Gen).
- **Versions**: Firmware versions prior to 1.56.309385 (August 2022).
- **Configurations**: Devices using the local `/setup/` API and those lacking WPA3/802.11w support (making them susceptible to deauthentication).
## Vulnerability Description
The vulnerability stems from a broken authentication/authorization model in how Google Home handles account linking.
1. **Broken Authorization**: The Google Cloud API endpoint `/deviceuserlinksbatch` did not verify if the requesting account had permission or physical proximity to link to a specific device ID (Cloud ID).
2. **Local ID Leak**: An attacker in wireless proximity can use a Wi-Fi deauthentication attack to force the device into a "setup mode." In this state, the device's local API (`/setup/eureka_info`) leaks the **Cloud ID** and internal certificates without authentication.
3. **Account Injection**: By combining the leaked Cloud ID with the insecure `/deviceuserlinksbatch` Cloud API, an attacker can link their own Google account to the victim's device remotely, effectively installing a "backdoor" account.
## Exploitation
- **Status**: PoC available; rewarded $107,500 by Google VRP.
- **Complexity**: Medium (requires Wi-Fi deauth and Protobuf request crafting).
- **Attack Vector**: Adjacent (initial phase requires wireless proximity to trigger deauth/ID leak), then Network (remote control of the device once linked).
## Impact
- **Confidentiality**: **High**. Attackers can trigger the `call [phone number]` command to turn the speaker into a remote wiretap, or use the "Local Home SDK" via Chrome Devtools Protocol (CDP) to sniff LAN traffic and read files.
- **Integrity**: **High**. Attackers can send arbitrary commands, manipulate smart home routines (e.g., unlocking doors), and modify device configurations.
- **Availability**: **Medium**. Attackers can play media, change volumes, or disrupt device functionality.
## Remediation
### Patches
- **Cloud Update**: Google patched the `/deviceuserlinksbatch` API to require an "invite" from the home owner before a link can be established.
- **Command Restrictions**: The `call` command (used for the wiretap PoC) was updated to prevent remote invocation via routines.
- **Firmware**: Ensure Google Home devices are updated to the latest version (1.56.309385 or higher).
### Workarounds
- There are no direct workarounds for the vulnerable API, but using a router that enforces **WPA3 or 802.11w (Management Frame Protection)** helps prevent the deauthentication attack used to leak the device ID.
## Detection
- **Indicators of Compromise**:
- Presence of unknown accounts/users in the "Google Home" app "People in this home" section.
- Unexpected "Routine" history or device activity logs (e.g., unrecognized outgoing calls or LED pulsing).
- **Detection Methods**: Monitor for unauthorized Wi-Fi deauthentication frames in the vicinity of IoT devices.
## References
- **Vendor Advisory**: Google VRP (Bug ID: 215160167)
- **Technical Write-up**: hxxps://downrightnifty[.]me/blog/2022/12/26/hacking-google-home.html
- **Prior Research**: Dan Petro (2014) Chromecast security research.