A security researcher recently reported that he found a security flaw in the Google Home Hub. Jeremy Gamblin, the researcher in question, was able to use an “amazingly unsecured” API to force the device to reboot or reveal data about the network it was connected to. Google has now explained that this perceived flaw isn’t really a security threat.
Gamblin noticed that the device was using a few open ports so he started playing around with command prompt on his computer to see what he could found. He was later able to reboot the device with a single line of code and even delete the Home Hub’s Wi-fi network as well as disable notifications.
Google has now responded to the matter. It told Engadget that “A recent claim about security on Google Home Hub is inaccurate.” It explains that the APIs mentioned in this claimed exploit are used by mobile apps to configure the device and they’re only accessible when those apps and the Google Home Hub are on the same Wi-Fi network. “Despite what’s been claimed, there is no evidence that user information is at risk,” the company said.
What this means that for an attacker to use this exploit to mess with your Home Hub, they would have to be on the same Wi-Fi network as the Home Hub. The assumption of security here being that you wouldn’t have the device connected to an unsecured Wi-Fi network.