Google Home Hub Controllable via Undocumented API, No Authentication Needed

The just-launched Google Home Hub smart display can be remotely controlled with no authentication via an undocumented API, as discovered by security researcher Jerry Gamblin.

Gamblin found the potential security issue affecting Google's Home Hub devices after scanning his own Hub with nmap once it was added to his network and, surprisingly, found a lot of ports open.

This led to the discovery of an undocumented control API inherited from Google's Chromecast devices which makes it possible to access multiple endpoints that allow a potential local attacker to run a multitude of commands, some of them dangerous and some only important for collecting information.

A more detailed view of all the possible commands one can use can be found in this full read more)

No comments:

Post a Comment