I was recently rewarded a total of $107,500 by Google for responsibly disclosing security issues in the Google Home smart speaker that allowed an attacker within wireless proximity to install a "backdoor" account on the device, enabling them to send commands to it remotely over the Internet, access its microphone feed, and make arbitrary HTTP requests within the victim's LAN (which could potentially expose the Wi-Fi password or provide the attacker direct access to the victim's other devices)...| Matt's internet home
After the work detailed in part 1, altering the content of the NAND Flash of the Google Home Mini with ease is now possible. Despite this very privileged access, because of Google’s secure boot implementation, running arbitrary code on the CPU of the device isn’t possible using simple and naive methods. However, as we’ll see, there is still a way. This post will detail how I achieved code execution. It will require fuzzing, understanding some Linux code and finally exploiting a kernel b...| Courk's Blog