Google has pushed back against claims its new Home Hub smart display posts a security risk to users.
A security researcher claimed the device is “beyond dismal” when it comes to protecting the privacy of early adopters. Independent security advocate Jerry Gamblin says the device is wide open to bad actors, and it appears Google’s choice to use Cast tech over Android Things is the culprit.
He says the Home Hub make use of an undocumented and unsecured API that enables a third-party to take “near full remote unauthenticated control” of the device.
In a blog post, Gamblin explained how he was easily able to execute code to force an unauthorised reboot of the device, delete the registered wireless networks and disable all notifications. He says the flaw in the API could enable bad actors to commandeer the device.
In the blog post (via 9to5Google) he wrote: “I am genuinely shocked by how poor the overall security of these devices are, even more so when you see that these endpoints have been known for years and relatively well documented.”
Google has been quick to respond to the accusations, in a statement issued to Android Authority. It says the claim is inaccurate and says the API in question pertains to the mobile apps used to configure Home devices and requires the devices are on the same wireless network.
The company says: “All Google Home devices are designed with user security and privacy top of mind and use a hardware-protected boot mechanism to ensure that only Google-authenticated code is used on the device. In addition, any communication carrying user information is authenticated and encrypted.
“A recent claim about security on Google Home Hub is inaccurate. The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what’s been claimed, there is no evidence that user information is at risk.”
Are you happy to have a device like the Amazon Echo or Google Home in your home? Or do you worry about the privacy implications? Drop us a line @TrustedReviews on Twitter.