Late last week, self-described security advocate Jerry Gamblin revealed that he had uncovered a simple hack of the recently-released Google Home Hub. Gamblin was able to reboot the device, wipe all wireless network settings, and disable notifications—all by, allegedly, remotely running a few simple lines of code.
Gamblin said he was able to do this by accessing an undocumented API that gave him remote access to the device.
Granted, these hacks revealed some rather annoying inconveniences that could befall the user, the fact that he was able to do this at all should raise some eyebrows for current Google Home Hub users and those who were considering buying the device. It’s also alarming that Google, a company that’s already dealing with some data security issues, has yet another product that feels rather insecure.
Privacy and data security have long been the Achilles’ heel of this consumer tech segment. In survey after survey, consumers continually have identified that topic as priority number one. And so long as there’s even a hint that a product isn’t totally secure they’re likely to stay away. And sure, this Home Hub hack isn’t exposing any data so far as we or Gamblin could tell, but this who’s to say that this isn’t the gateway into some bigger problem for the product?
Google, for its part, is leaning in hard on that latter point in their denial of any real issues with the Home Hub’s security. In a statement to Android Authority in response to Gamblin’s tweets, a spokesperson for the company said that all Google Home devices are “designed with user security and privacy top of mind” and that any communication that carries user information is both authenticated and encrypted.
“A recent claim about security on Google Home Hub is inaccurate,” the spokesperson said. “The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what’s been claimed, there is no evidence that user information is at risk.”
It makes sense that Google would want to be protective of their product(s). You don’t want there to be a problem with a brand new tech, and especially not one that’s security-related. But rather than attack the source, the company ought to be proactive about the reported issue and acknowledge that they’re looking into it. Even if the API could only be accessed while on the same WiFi network, it was able to be accessed and manipulated. Is that by design? Is it an oversight? Is it something that requires a fix? Those are the things Google ought to be answering instead of brushing this off like it’s no big deal.