There is an undocumented web API in Google's Home Hub which is causing a bit of concern over at The Register and elsewhere. This mysterious connection is available to anything on the same WiFi network as the Home Hub and it does not check for any authentication or tokens which means anyone connected to your WiFi can successfully connect and start to play with your settings. Currently there is code which is capable of rebooting the device or to completely delete the current configured network, requiring you to rebuild it from scratch. That could be very annoying if the delete command is coming from malware already inside the house, as it were.
Hopefully there will be some basic authentication added ASAP, as that is a very blatant oversight.
"A spokesperson for Google confirmed that any device, computer, or smartphone on the Wi-Fi network of a Home Hub can command the assistant as described above – that includes mischievous malware on a PC, for example."
Here is some more Tech News from around the web:
- Apple's iOS 12.1 lockscreen can be bypassed using FaceTime group call exploit @ The Inquirer
- iOS 12.1 Extends Controversial Processor Throttling Feature To the iPhone 8, 8 Plus, and X @ Slashdot
- Apple Kernel Code Vulnerability Affected All Devices @ Hack a Day
- TSMC opens 12-inch fab in Nanjing @ DigiTimes
- Spectrum-starved Wi-Fi vendors look at DSRC band, sharpen knives @ The Register
