Hackers take control of tens of thousands of smart devices Google

Two hackers run a script to hack into random Google Home devices worldwide via the web. It turns out that this is easy when certain ports are open. The devices themselves do not do authentication. Google is now aware.

The two hackers behind the project have set up a website to keep track of the results. There they speak that up to the time of writing 72,341 smart devices have fallen prey to their sniffer. The vast majority of those are Chromecasts and smart TVs with Cast functionality. A small part are Google Home speakers.

Initially, the script forced the devices to play a playful video, but they no longer do that. Now the devices are only mapped. YouTube has taken the videos in question offline, meaning parent company Google, officially Alphabet, is aware of the practices.

The videos contained a link to the hackers’ website, which explains how victims can protect themselves. That effect has now been negated. In the FAQ on their site, they explain that the devices reveal a range of data: lists of Wi-Fi and Bluetooth names, uptime, alarm clocks and, according to the hackers, much more. A malicious person can play video, reboot and factory reset devices, forget the Wi-Fi and the like. Sensitive data cannot be reached. To protect themselves, users must close ports 8008, 8009, and 8443. Upnp must also be disabled.

Update, 13:14: The article first said it was about ethical hackers, but that’s not correct: ethical hackers inform the company that can distribute a fix and wait for that fix before exposing a vulnerability and as walteij pointed out, the course of action is here different.