The Home Hub is Google’s first smart speaker to come with a screen. It works seamlessly with Google’s other products, which means it has some very interesting features. This has impressed almost everybody who has had a chance to play around with it and the Home Hub has subsequently been getting rave reviews across the internet. One person who hasn’t been impressed, however, is security advocate Jerry Gamblin. In a blog post, Gamblin has raised a rather serious security issue with the Google Home Hub so we thought we’d take a look at how secure Google’s latest product really is.
Is the Google Home Hub a secure product?
Surprisingly, the Google Home Hub doesn’t run on Android. Instead, the Home Hub runs on a version of the Google Cast software the company developed for use with its Chromecast products. According to Gamblin, this decision has led to a product that is “beyond dismal” at protecting user privacy and that is vulnerable to third-parties taking “near full remote unauthenticated control.”
— Jerry Gamblin (@JGamblin) October 27, 2018
In Gamblin’s very technical blog post he showed that he was able to reboot the device remotely, delete the saved Wi-Fi networks, and disable all notifications. If done correctly, he believes these vulnerabilities could be used to commandeer the device, turning it into a potential listening device and putting all user information at great risk. Gamblin’s research also discovered that Google has known about these vulnerabilities for a long time and still not acted on them. This last point is why he, as an independent security researcher, decided to go public with his discoveries rather than contact Google about the potential holes in their security.
Since Gamblin released all of his findings, many news outlets picked up the story that Google’s Home hub is an unsecured device. This has caused Google to react quickly and refute the claims. In a statement to Android Authority, Google said:
“All Google Home devices are designed with user security and privacy top of mind and use a hardware-protected boot mechanism to ensure that only Google-authenticated code is used on the device. In addition, any communication carrying user information is authenticated and encrypted. A recent claim about security on Google Home Hub is inaccurate. The APIs mentioned in this claim are used by mobile apps to configure the device and are only accessible when those apps and the Google Home device are on the same Wi-Fi network. Despite what’s been claimed, there is no evidence that user information is at risk.”
Google is saying that what Gamblin has discovered is true, but that he has missed one small point. As the Home Hub is supposed to be a control and display unit it needs to communicate with other smart objects connected to the Wi-Fi network. Gamblin was able to execute several worrying commands but only because his computer had been authorized to work on the same Wi-Fi network as his Google Home Hub. A hacker would not be able to execute the same commands unless he already had access to the home Wi-Fi network. This would explain why Google hasn’t acted on the issues Gamblin highlighted.
In answer to the original question then, the Google Home Hub is as secure as your home Wi-Fi network. For tips on how to boost your home Wi-Fi network security, check out our guide below.