LAS VEGAS – The Tencent Blade Team of researchers demonstrated several ways they have developed to hack and run remote code on Google Home smart speakers. The hacks center around what is known as a Magellan vulnerability, which can be used to exploit the massively popular SQLite database engine.
Here at a session at DEF CON on Thursday, the researchers shed light on their work “breaking” Google Home. What made the talk unique wasn’t necessarily that Google Home smart speakers could be compromised using Megellan – that was public news in Dec. 2018 – rather it was how the hack was pulled off.
On stage Tencent researchers Wenxiang Qian, YuXiang Li and HuiYu Wu laid out the evolution of their research.
The hack of Google Home first focused on hardware, similar to the researchers approach when compromising Amazon Echo, made public last year at DEF CON. In the Echo case, researchers tampered with the flash hardware chips to create the attack scenario. In the case of Google Home, it was a bit trickier because researchers couldn’t find a hardware interface for debugging and flashing – as they did with the Amazon Echo hack.
So in this instance, researchers found clues to pull off their hack by extracting the Google Home firmware, through dumping it from the device’s NAND flash.
Because of secure boot and other OTA security verification mechanisms, researchers said directly tampering with firmware was out of the question.
“We designed a new adapter to export the pins of the test socket to a larger pitch. So, we can easily connect the chip to the programmer. Finally, it is used to read the firmware through the programmer,” researchers said.
From there they looked for weaknesses to exploit. One such method included an easy way to simulate an upgrade request (TLS). Researchers also identified a potential road to a Google Home compromise via the CAST protocol, used by Google Home to cast multimedia content from one smart device to another.
“We exploited the Magellan vulnerability to compromise cast_shell (the main program of Google Home). Through cast protocol, we can trigger Google Home to visit malicious web pages to exploit the Magellan vulnerability to exploit cast_shell,” researchers told Threatpost.
Magellan, a set of three heap buffer overflow and heap data disclosure vulnerabilities in SQLite (CVE-2018-20346, CVE-2018-20505 CVE-2018-20506), affects a large number of browsers, IoT devices and smartphones that use the open source Chromium engine. As applied to Google Home, it can lead to remote code execution via weaknesses in Chrome renderer – a la the known Magellan attack technique exploiting the SQLite flaw.
The researchers also expanded the attack surface of Google Home to include one based on a malicious app. In this example, an attacker posts a malicious Cast app to an app store. Now an attacker can remotely trigger Google Home to load the malicious app in the LAN. Next, Google Home is forced to visit a malicious URL via an embedded Chrome browser- triggering the Magellan attack.
The good news is, according researchers, there are no indications that Magellan has been abused in the wild.
“We have reported all the details of the vulnerability to Google and they have fixed the vulnerability. If your product uses Chromium, please update to the official stable version 71.0.3578.80 (or above). If your product uses SQLite, please update to 3.26.0 (or latest release).”
_Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, _click here.