Google Home Hacked to Spy on you - Researchers exposed

-

A security experimenter was awarded a bug bounty of$,500 for  relating security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into spying  bias.  The  excrescencies" allowed an  bushwhacker within wireless  propinquity to install a' backdoor' account on the device, enabling them to  shoot commands to it ever over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim's LAN," the experimenter, who goes by the name Matt, bared in a specialized write- up published this week.

   In making  similar  vicious requests, not only could the Wi- Fi  word get exposed, but also  give the adversary direct access to other  bias connected to the same network. Following responsible  exposure on January 8, 2021, the issues were remediated by Google in April 2021.  The problem, in a nutshell, has to do with how the Google Home software armature can be abused to add a  mischief Google  stoner account to a target's home  robotization device.

   In an attack chain detailed by the experimenter, a  trouble actor looking to listen in  on a victim can trick the  existent into installing a  vicious Android app, which, upon detecting a Google Home device on the network, issues stealthy HTTP requests to link an  bushwhacker's account to the victim's device.

  Taking  effects a notch advanced, it also  surfaced that, by carrying a Wi- Fi deauthentication attack to force a Google Home device to  dissociate from the network, the appliance can be made to enter a" setup mode" and  produce its own open Wi- Fi network.   The  trouble actor can  latterly connect to the device's setup network and request details like device name, cloud device id, and  instrument, and use them to link their account to the device.  Anyhow of the attack sequence employed, a successful link process enables the adversary to take advantage of Google Home routines to turn down the volume to zero and call a specific phone number at any given point in time to  catch on the victim through the device's microphone.

  " The only thing the victim may notice is that the device's LEDs turn solid blue, but they'd  presumably just assume it's  streamlining the firmware or  commodity," Matt said." During a call, the LEDs don't  palpitate like they  typically do when the device is  harkening, so there's no  suggestion that the microphone is open."  likewise, the attack can be extended to make arbitrary HTTP requests within the victim's network and indeed read  lines or introduce  vicious  variations on the linked device that would get applied after a reboot.

   This isn't the first time  similar attack  styles have been  cooked  to covertly  meddle on implicit targets through voice- actuated  bias.  In November 2019, a group of academics bared a  fashion called Light Commands, which refers to a vulnerability of MEMS microphones that permits  bushwhackers to ever  fit  inaudible and  unnoticeable commands into popular voice  sidekicks like Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light. 

Comments

Post a Comment

Popular posts from this blog

#$1.5M phishing scam

-
Image
  The US Department of Justice has convicted a Nigerian national of participating in a business email compromise (BEC) scam worth $1.5 million. The Feds say Ebuka Raphael Umeti, 35, perpetuated the scam with two alleged partners in crime, using a combination of social engineering and malicious software to pull off the million-dollar BEC scheme. A BEC fraud involves phishing emails and deception to get businesses and organizations to send money or valuable data to attackers, usually over email. According to the DoJ, Umeti got involved in BEC scams as early as February 2016, when one of his alleged co-conspirators, fellow Nigerian national Franklin Ifeanyichukwu Okwonna, is said to have sent Umeti a phishing email template. The collaborators started to see success in 2018, siphoning $571,000 from a New York wholesaler and $400,000 from a Texan metal supplier. In the following years, the scammers started domain spoofing, signed up for VoIP numbers, and communicated over the gaming-focused
Read more

#Microsoft's AI boss thinks it’s perfectly OK to steal content if it's on the open web

-
Image
  Microsoft AI boss Mustafa Suleyman incorrectly believes that the moment you publish anything on the open web, it becomes “freeware” that anyone can freely copy and use. When CNBC’s Andrew Ross Sorkin asked him whether “AI companies have effectively stolen the world’s IP,” he said: I think that with respect to content that’s already on the open web, the social contract of that content since the ‘90s has been that it is fair use. Anyone can copy it, recreate with it, reproduce with it. That has been “freeware,” if you like, that’s been the understanding. Microsoft is currently the target of multiple lawsuits alleging that it — and OpenAI — are stealing copyrighted online stories to train generative AI models, so it may not surprise you to hear a Microsoft exec defend it as perfectly legal. I just didn’t expect him to be so very publicly and obviously wrong! I am not a lawyer, but even I can tell you that the
Read more

#This man used Fake Wi-Fi Scam on Domestic Flights

-
Image
  An Australian man has been charged with running a fake Wi-Fi access point during a domestic flight with an aim to steal user credentials and data. The unnamed 42-year-old "allegedly established fake free Wi-Fi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them," the Australian Federal Police (AFP) said in a press release last week. The agency said the suspect was charged in May 2024 after it launched an investigation a month earlier following a report from an airline about a suspicious Wi-Fi network identified by its employees during a domestic flight. A subsequent search of his baggage on April 19 led to the seizure of a portable wireless access device, a laptop, and a mobile phone. He was arrested on May 8 after a search warrant was executed at his home. The individual is said to have staged what's called an evil twin
Read more