By John Biggs
Security advocate Jerry Gamblin has posted a set of instructions – essentially basic lines of XML – that can easily pull important information off of the Google Home Hub and, in some cases, temporarily brick the device.
The Home Hub, which is essentially an Android tablet attached to a speaker, is designed to act as an in-room Google Assistant. This means it connects to Wi-Fi (and allows you to see open Wi-Fi access points near the device), receives video and photos from other devices (and broadcasts its pin), and accepts commands remotely (including a quick reboot via the command line).
The command – which consists of a simple URL call via the command line – is clearly part of the setup process. You can try this at home if you replace “hub” with the Home Hub’s local IP address.
curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot
I am not an IOT security expert, but I am pretty sure an unauthenticated curl statement should not be able to reboot the @madebygoogle home hub. pic.twitter.com/gCWFm5Ofyb
— Jerry Gamblin (@JGamblin) October 27, 2018
Other one-liners expose further data, including a number of micro services:
$ curl ...read more
Source:: TechCrunch Gadgets
Previous post