Google Home User Data Can Be Seen on Shared WiFi Networks and Devices Controlled by Other Users, Not for Use in Universities and Offices – EXCLUSIVE
- The user name, device name, streaming information, and other details of Google Home devices are visible to any user on shared networks such as those found in Universities and offices
- Users that are not the registered owner of a Google Home device can also change the device name, control the volume, and stream content when connected to the same network
- Google representatives say the features operate as intended and Google Home is designed for home use on private networks and not on shared networks
Google Home devices have a nice feature for in-home discovery and control. When someone with the Google Home app is on the WiFi network they can see and control the other devices. This may be helpful for home-based users. It becomes more problematic on shared networks.
Voicebot was contacted Friday by Belal Abdelfattah, Assistant Professor of Information Systems and Operations Management at the George Mason University School of Business. Professor Abdelfattah had arrived in his office early to complete some work and his Google Home suddenly began playing loud music. “The only reason I found this out is I was working early and my smart speaker starting jamming some rock music. Yesterday, I noticed my volume going up and down and I thought that was weird.”
Unsecured Access to Change Device Names and Stream Content
These unexpected events led Professor Abdelfattah to investigate by opening his Google Home app. What he discovered surprised him. He could see more than a dozen other Google Home devices in his app in addition to his own device in his office. These were all Google devices connected to a shared University network. He realized then that he could actually see information about those devices such as the device owner’s name, the device name, and what content was streaming. He eventually figured out that he could actually change the device name, stream music to the devices, reboot them and control the volume. This prompted him to reach out to Google’s customer support about the issue. He began with an online chat that follows below from a screen capture of the exchange.
Google Home is Not Intended for Use in a Shared Network
The Google rep then called him to gather more information. When the rep suggested he couldn’t see those other devices Professor Abdelfattah pointed out that someone was currently on the network and watching something about Tesla and it was an hour long and he could adjust the volume if he wanted. He told the Google representative that he needed to contact the George Mason security team about the issue. According to Professor Abdelfattah, the Google customer service representative commented toward the end of his conversation that Google Home is intended for use at home. Abdelfattah stated:
“She said, ‘Google Home is intended to be used at home in a private network.’ But, students in dorms here have Google Home devices connected to the Mason network. You need to make users aware of this that [other] users can access their devices.”
Both statements seem fair. Voicebot is not aware of Google marketing the Google Home products for any setting outside the home where networks are presumably private, or at least commonly so. Professor Abdelfattah is correct that consumers are using the devices on shared networks and should be aware that the devices do not have protections against others on the network viewing and controlling them. When asked by Voicebot whether as an Information Systems professor he viewed this as a bug or a security flaw he commented:
I would characterize it as a security flaw. And, it’s a privacy issue. If I can see what people are listening to, it’s a privacy violation. They are interrelated.
Not An Isolated Issue, It’s a Feature
Professor Abdelfattah asked a colleague of his to see if he could also view other Google Home devices and he confirmed there was a similar level of visibility. Voicebot reached out to a business that has many Google Home devices set up by different employees that share a common wireless network. All of the claims made by Professor Abdelfattah could be replicated on that other network for devices registered to different users. A Google spokesperson confirmed that this is not an isolated issue. When asked about it, the spokesperson responded:
You’re correct that the behavior witnessed is based on features that optimize for ease of discovery and control on home networks. Google Home products are designed for home networks.
The Google spokesperson said guidance could be found in this help center article. It is, in fact, a feature of the system according to Google. While it may be benign most of the time in a household setting, these devices are being used today on shared networks. College dorm rooms and business offices are just two examples. The purpose of Professor Abdelfattah was to learn more about the issue and make Google Home users aware of the risks associated with using the devices on a shared network.
Permissive Device Discovery Also Related to an Earlier Issue
The situation highlights how certain features designed for user convenience in one setting can lead to security issues in another context. This is not Google’s first confrontation with security issues related to Google Home. Last summer, Google closed a known security flaw also related to this very feature. Hackers could, in that instance, identify the location of website visitor through a sequence of steps that ultimately provided access to Google devices on a home network and used that to determine the home location. Voicebot commented at the time:
“This situation highlights the fundamental conflict between features that enable ease of use and those that attempt to protect privacy and security. It is inconvenient to have passwords to dozens of websites but doing so typically provides a modicum of security protection. It is even more inconvenient to use a VPN, but the fully encrypted traffic protects users from having their data communications revealed to outsiders. Similarly, it is inconvenient to force each device to discover other devices on a home network which is assumed to be populated with only friendly devices. This permissive behavior helps consumers while also introducing risk.”
Google also came under fire in February from consumers, media, and even a Senate Committee because a security device from the company’s Nest division was shipped with a microphone that was not listed in the product specifications. This microphone was later revealed as enabling access to Google Assistant after a software update but some consumers raised concerns about whether they should have been informed.
One Way to Address Privacy Concerns on Shared Networks
We did learn one way to potentially use a shared network and not have your device visible to casual users. Whoever controls the network could obscure the device MAC address from being displayed on the network. Since the user is already connected to the device it would operate as expected, but others would not be able to see it unless of course, they had network control access. It is not a perfect solution but could protect your privacy.
Follow @bretkinsella Follow @voicebotai
Alexa Can Now Invoke Skills without a Launch Request, Some Google Actions Can Do This Too
Google Home Location Security Vulnerability to be Closed in July