Google Home Is Insecure!

2016-12-28

No, no, this has nothing to do with my previous blog post about Google creating conditions that should make spammers very happy. In fact, I only call out Google Home because that’s what I have. In reality, this also affects Amazon Echo.

These new voice controlled home assistant devices are insecure by design. The reason for this is to get the technology out while trying to figure out how to fix this design flaw.

The problem is there is no authentication with these devices once they’re set up. They have open access to any accounts you associate with them. Anyone that is capable of speaking, then, has access to those accounts.

The solution? I have no idea. I would guess that at some point some voice print identification would have to come into play. Right now, these devices and service have no idea who is making the request by voice and only knows that a request is made on that account.

This is the major flaw with these devices.

However, I can give you a workaround, and both Amazon and Google have their own way in handling this. Create an account for the home assistant device, and then associate it with a parent/family account. With this, you can still access all of the services, but with quite a bit of control over what these devices can access.

You should even still have purchasing power with the Echo. Purchases just have to be approved by the parent account.

As I live alone, this is not an immediate problem, but I fully intend to make a “home” account for these smart devices and bring it in to my Google “family”. I can share playlists with that account and it can access all of the services available through the family sharing, such as Google Music, Youtube Red, etc.