Undocumented API in Google Home Devices Is Easily Exploitable

Jerry Gamblin:

I am genuinely shocked by how poor the overall security of these devices are, even more so when you see that these endpoints have been known for years and relatively well documented.

I usually would have worked directly with Google to reboot these issues if they had not previously disclosed, but due to the sheer amount of prior work online and committed code in their own codebase, it is obvious they know.

Very strange — you can cause any of these devices to reboot or forget their wireless network with a simple curl one-liner. You have to be on the same local network, but still.

Tuesday, 30 October 2018