Google’s “Home” devices are openly accessible on the local subnet. Some basic functions can read and written. The information extracted from them could be interesting in the hands of an intruder.

When I was in my younger years and wireless networks were emerging, there was a class of routers on the market in Germany, that were delivered with an unencrypted WI-FI and a default password. These routers were DSL-modems and phone PBXs in one box. Quickly it became a game for young computer savvy kids to log into these boxes and mess with their settings. One particular “joke” was to set the wake up call functions to the middle of the night. It was a little bit like the children’s play of ringing at the neighbors’ doors and the run away.

What Google Home tells about it’s owner

A similar game can be played with Google’s Home devices. These devices use a local API that is communicating over the Hypertext Transfer Protocol with POST and GET methods formatted as JSON. Parts of their setup are openly readable. Once inside the network, someone could for example turn off the alarm clock.

With basic tools like “curl” information can be read and even changed on the device. For example:

curl -s http://<ip>:8008/setup/eureka_info | jq

reads the basic device information. The “jq” command formats the JSON output in a readable manner.

Example Output:

{
  "bssid": "xx:xx:xx:xx:xx:xx",
  "build_version": "141215",
  "cast_build_revision": "1.36.141215",
  "closed_caption": {},
  "connected": true,
  "ethernet_connected": false,
  "has_update": false,
  "hotspot_bssid": "xx:xx:xx:xx:xx:xx",
  "ip_address": "xx.xxx.xxx.xxx",
  "locale": "en-GB",
  "location": {
    "country_code": "DE",
    "latitude": 255,
    "longitude": 255
  },
  "mac_address": "xx:xx:xx:xx:xx:xx",
  "name": "Room Name",
  "noise_level": -88,
  "opt_in": {
    "crash": false,
    "opencast": false,
    "stats": false
  },
  "public_key": "...",
  "release_track": "stable-channel",
  "setup_state": 60,
  "setup_stats": {
    "historically_succeeded": true,
    "num_check_connectivity": 0,
    "num_connect_wifi": 0,
    "num_connected_wifi_not_saved": 0,
    "num_initial_eureka_info": 0,
    "num_obtain_ip": 0
  },
  "signal_level": -51,
  "ssdp_udn": "...",
  "ssid": "WI-FI NAME",
  "time_format": 2,
  "timezone": "Europe/Berlin",
  "tos_accepted": true,
  "uptime": 3250.703279,
  "version": 9,
  "wpa_configured": true,
  "wpa_id": 0,
  "wpa_state": 10
}

Information can not only be read but also written, this command restarts the device by sending “params”:”now” as raw data in JSON format to the device.

curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://ip:8008/setup/reboot

If the parameter is changed into “params”:”fdr”, the device will do a factory reset (I did not test this on my own devices).

Let me break down the command for better understanding:

  • curl is the tool to transfer a url on the linux command line
  • Parameter -Lv makes curl follow to another location, if the server sends a 3xx code back
  • Parameter -H defines the header. In this case, it is “Content-Type:application/json”
  • Parameter –data-raw defines the raw data sent. In this case, that is ‘{“params”:”now”}’
  • http://ip:8008/setup/reboot is the URL. ip must be replaced with the ip-address of the Google Home device. It is not possible to use a DNS name or host-file entry! (Maybe a security patch?)

On GitHub you can find a documentation with the so far known commands of the API: https://github.com/rithvikvibhu/GHLocalApi

What about security?

From the perspective of a hacker, these devices can offer some interesting details about their owners. For example could the BSSID of the Access-Point being localized with WiGLE. Someone who has access to the local network could also observe which alarms are set and from this understand the daily patterns of the residents. Other information can be:

Device NameWhat kind of rooms exist?
What are the names of the residents?
AlarmsWhen are the residents at home / away?
TimezoneWhere is the device located?
LocalesWhat language are the residents speaking?
WI-FIPrecise location can be traced

So, is using a Google Home device safe? The answer depends on the context and is not easy. The safety of smart home devices very often depends on the safety of the whole network. The owners generally should take some precautions to prevent third parties from accessing their network. This includes basic measures such as the encryption of the Wi-Fi, the use of a secure router, regular updates of the operating systems on all computers in the network, virus protection, etc.

Further reading

Image: By Andrea Marchitelli – Own work, CC BY-SA 4.0, Wikimedia Commons