- A popular hacker published a blog entry describing multiple security vulnerabilities regarding the Google Home Hub.
- According to the hacker, the Google Home Hub “allows near full remote unauthenticated control by an (undocumented) API.”
- Google, however, refutes the claims as inaccurate and says “there is no evidence that user information is at risk.”
Yesterday, Jerry Gamblin published an article on his personal blog detailing several security vulnerabilities he found in his new Google Home Hub. Although the article is incredibly technical with hundreds of lines of code, even a layman can tell Gamblin thinks the Google Home Hub is very insecure.
Gamblin sent out a tweet to his 11,000 followers to promote the article. In the tweet, he says “the security of the new Google Home Hub … is beyond dismal,” and “allows near full remote unauthenticated control by an (undocumented) API.”
You can see the tweet below:
I have spent the last two evenings looking at the security of the new Google Home Hub, and it is beyond dismal. It allows near full remote unauthenticated control by an (undocumented) API. https://t.co/gsrLoLOtfy
— Jerry Gamblin (@JGamblin) October 30, 2018
According to Gamblin, it is not difficult to hack into a Google Home Hub to run several commands which could be labeled a security risk. For example, one can restart the entire Home Hub, delete the currently-configured wireless network, or disable all notifications.
Gamblin concludes, “I am genuinely shocked by how poor the overall security of these devices are, even more so when you see that these endpoints have been known for years and relatively well documented.”
However, Android Authority reached out to Google directly for a comment on the allegations Mr. Gamblin makes. This is the response we received from a Google spokesperson, reprinted in full:
“All Google Home devices are designed with user security and privacy top of mind and use a hardware-protected boot mechanism to ensure that only Google-authenticated code is used on the device. In addition, any communication carrying user information is authenticated and encrypted. A recent claim about security on Google Home Hub is inaccurate. The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what’s been claimed, there is no evidence that user information is at risk.”
It seems Google is saying that although Gamblin’s security code snippets are legitimate, he’s neglecting to point out that only devices connected to the same network as the Google Home Hub — i.e., your home network — could cause these things to happen. If a rogue hacker were to somehow gain access to your home network, your Home Hub could be compromised, but that would be true of pretty much anything connected to your home network, not just your Hub.
This is a nice reminder to make sure your home network is as secure as possible.