Google home speakers - how to stop them from entering setup mode when WiFi drops?

[Gnome10]

Hope this is the proper forum to post this - I carefully looked.

As I'm sure many of you know, if a Google Home Speaker loses wifi connectivity, it automatically falls back into setup mode, exposing an unsecure SSID, and the name of the device. I've always considered this a major security oversight by google. It makes no sense. If it can't see it's designated wifi signal, it should just sit there and try to reconnect to the wifi, not go into setup mode. I have no idea why they designed it this way. Not surprisingly, this "feature" has been abused (see below):

There was a recent news story about a researcher who found a pretty massive hole in Google's security to access and hack a Home Speaker, and it required this particular fall-into-setup-mode "feature" to accomplish the entire hack. Google fixed it's firmware in 2021, so any speakers that were up-to-date as of the news release (late 2022) should be protected against this exploit. Of course, if a hacker figured it out before the researcher figured it out, it could have been abused before or during the lag between the researcher's initial report to Google, and their fixes. But, Google's fix didn't even address the issue of falling back into setup mode - which, even after such a hack was reported, is pretty shocking they still didn't clue in.

So, I'm trying to think of any way to avoid this Google Home Speaker design FLAW. Please don't recommend to toss my google home speakers. I don't use them for anything other than music. It's not linked to any personal information, it's not on my main google account, mics are ALWAYS muted - I purely use them for wifi music. The only thing I can possibly come up with is a wifi-capable power outlet iot device that will cut power if it fails to detect my network, and plug every speaker into a separate one.

If anyone has come up with an easier solution, I'm all ears. Thanks.

 

[Yota]

Tin foil hat?


Just kidding, but you could really try removing the wireless antenna and shielding its wifi module with tinfoil or something, then use a wired connection instead.

 

[Gnome10]

Tin foil hat?


Just kidding, but you could really try removing the wireless antenna and shielding its wifi module with tinfoil or something, then use a wired connection instead.

Ha! I didn't even know you could hard-wire those speakers. Unfortunately, the whole point of wifi speakers is to easily place them throughout the house. There's no reasonable way I could get them on the wired LAN. I wish, but not possible. Good info, though, to know it's possible. Thanks!

 

[Go0se]

I've always considered this a major security oversight by google.

I think you've just maybe gone down a rabbit whole and developed a bit of paranoia, and lack familiarity with the device you own. Also why do you think you know better than google? lol.

IOT devices, whether it's a wall outlet/plug or a google nest device, are not built with security in mind. These products (plug more so than the google speaker) are made to be low maintenance, low energy, and easy to setup. So if you invest in alot of "smart" products, or these iot wifi-managed home products, then it's something you'll have to accept. So there's that.

Next, It sounds like you have a google home device that you use as a speaker. Google's primary revenue model is to take your information, collect/aggregate it, and sell it to whoever buys. Your google nest, is quite literally a 24/7 listening device that is feeding your home habits/personal life to google to sell. This is a bigger problem than the one you think you have lol.

Which leads to the The unsecure SSID issue you think you have. What you see that get's broadcast is designed that way because they intend for the device to always be connected to your home network, otherwise they cant take your information. If it cant connect to a network, it assumes it needs to be setup, which they make as easy as they can. The duration of this broadcast is intended to be just for a few mins, and even if somebody connects to your google home, they still need your home network password and google account details.

Lastly, I think you probably misunderstood or lack some context behind this whitepaper you read. These researchers spend long hours going over every single potential attack vector with many different tools. Their research is generally more valuable to the company than it is to you, and more often than not it is patched by the time you hear about it or not long after. From your post it sounds like Google patched this vulnerability, and you're associating the SSID thing you perceive to be unsecure with that (confirmation bias )

In summary: You have nothing to worry about with your google home thingy, unless you are someone who is being attacked by a very dedicated and persistent actor every day. Even then they would probably opt to sautee your home router instead of wasting time a speaker lol

Throw away the google home, and get yourself a pair of homepod mini's if security/privacy is something you value. Alternatively, a Bluetooth speaker will work.

 

[Gnome10]

Also why do you think you know better than google? lol.

Did you just join to troll the forum? Seriously, did you even read what I wrote?

Next, It sounds like you have a google home device that you use as a speaker. Google's primary revenue model is to take your information, collect/aggregate it, and sell it to whoever buys. Your google nest, is quite literally a 24/7 listening device that is feeding your home habits/personal life to google to sell. This is a bigger problem than the one you think you have lol.

If you read what I wrote, we don't use the speakers for anything other than speakers. Nothing is tied to them, no accounts, we don't use them for searching, the mics are all muted, they are isolated from everything. They are wifi speakers.

Which leads to the The unsecure SSID issue you think you have. What you see that get's broadcast is designed that way because they intend for the device to always be connected to your home network, otherwise they cant take your information. If it cant connect to a network, it assumes it needs to be setup, which they make as easy as they can. The duration of this broadcast is intended to be just for a few mins, and even if somebody connects to your google home, they still need your home network password and google account details.

Do you even know what you're talking about? It doesn't seem like it. What wifi device drops back into setup mode after it can't see the router? Pray tell? This is not normal behavior. What you explained is not the way most, the vast majority, of devices work - they continue to look for the network to which they were attached. You are just making up nonsense! The duration of the google home speaker setup mode is FOREVER, until they see the network again! A few minutes? What nonsense!

Lastly, I think you probably misunderstood or lack some context behind this whitepaper you read. These researchers spend long hours going over every single potential attack vector with many different tools. Their research is generally more valuable to the company than it is to you, and more often than not it is patched by the time you hear about it or not long after. From your post it sounds like Google patched this vulnerability, and you're associating the SSID thing you perceive to be unsecure with that (confirmation bias )

If you read what I wrote, I just explained to you that the exploit has likely been patched long before anyone could take advantage of it. You are literally telling me what I just wrote myself! It was an example of how this setup mode issue can be exploited, not the exact attack I'm expecting.

Throw away the google home, and get yourself a pair of homepod mini's if security/privacy is something you value. Alternatively, a Bluetooth speaker will work.

If you read what I wrote, Please don't recommend to toss my google home speakers.

 

[Go0se]

Your answer to patching a non existing security flaw is to put it behind a smart plug, lol. Okay! Sounds like you already know what you're talking about. Good luck turning your device into whatever it is you demand it should be.

 

[thiggins]

@Go0se Be more respectful in your posts or you will be banned.
@Gnome10 If you think you are being trolled, don't feed it.
Thread closed.

 

[thiggins]

Thread reopened by request. Keep it civil or I’ll reclose.

 

[follower]

You guys don't even know about how the real world goes. Why are you guys attacking Gnome10? Because you've never heard about that security issue which he mentioned?
Gnome10 is talking about this.

Turning Google smart speakers into wiretaps for $100k

I was recently rewarded a total of $107,500 by Google for responsibly disclosing security issues in the Google Home smart speaker that allowed an attacker within wireless proximity to install a “backdoor” account on the device, enabling them to send commands to it remotely over the Internet...

downrightnifty.me

Google Home smart speaker bug could have allowed hackers to spy on your conversations

A security researcher has won a $107,500 bug bounty after discovering a way in which hackers could install a backdoor on Google Home devices to seize control of their microphones, and secretly spy upon their owners' conversations.

www.bitdefender.com

Me?
I'd removed all of Google speakers from my network for a long time ago. I still have a lot of removed Google speakers. I'd mentioned about it here in snbforums. Because I found strange packets from Google Nest Hub which ruined entire network system. They don't even release the patch for well known bugs and vulnerabilities often. Don't forget that there are many dark markets for unknown vulnerabilities and hacks. You give the money? They give you exploits, codes, hacks, dedicated hacks and more. They do DDos attack if you pay for it. There is always more than meets the eye.

 

[Gnome10]

You guys don't even know about how the real world goes. Why are you guys attacking Gnome10? Because you've never heard about that security issue which he mentioned?
Gnome10 is talking about this.

Me?
I'd removed all of Google speakers from my network for a long time ago. I still have a lot of removed Google speakers. I'd mentioned about it here in snbforums. Because I found strange packets from Google Nest Hub which ruined entire network system. They don't even release the patch for well known bugs and vulnerabilities often. Don't forget that there are many dark markets for unknown vulnerabilities and hacks. You give the money? They give you exploits, codes, hacks, dedicated hacks and more. They do DDos attack if you pay for it. There is always more than meets the eye.

Thanks for adding some sanity to this place.

I ended up with Google Speakers because I found a crazy good deal on them. I don't want to ditch them - they sound great, and provide great full-house sound, easily deployed. I've taken every precaution, as I mentioned, to make sure they can't be hacked (including enabling more defenses at the router level).

But, this setup mode, automatically broadcasting the SSID when the network can't be seen, is just absurd. If my WiFi goes down, every single speaker (about 10) is sitting there broadcasting it's open SSID for everyone in the neighborhood to see. It's so stupid, such a ridiculous WiFi device behavior, that it's no surprise that it's been used as a portion of an attack vector. And, it's something google could easily fix.

Anyway, I know you would remove the Google speakers, but as I said in my OP, I'd like ideas on how to avoid that. Thanks for chiming in.

 

[follower]

Thanks for adding some sanity to this place.

I ended up with Google Speakers because I found a crazy good deal on them. I don't want to ditch them - they sound great, and provide great full-house sound, easily deployed. I've taken every precaution, as I mentioned, to make sure they can't be hacked (including enabling more defenses at the router level).

But, this setup mode, automatically broadcasting the SSID when the network can't be seen, is just absurd. If my WiFi goes down, every single speaker (about 10) is sitting there broadcasting it's open SSID for everyone in the neighborhood to see. It's so stupid, such a ridiculous WiFi device behavior, that it's no surprise that it's been used as a portion of an attack vector. And, it's something google could easily fix.

Anyway, I know you would remove the Google speakers, but as I said in my OP, I'd like ideas on how to avoid that. Thanks for chiming in.

Here is my old post.

AC88U kernel: net_ratelimit: number callbacks suppressed

Sys log. There is no other error messages except following errors. kernel: net_ratelimit: 239568 callbacks suppressed kernel: net_ratelimit: 242672 callbacks suppressed kernel: net_ratelimit: 243971 callbacks suppressed kernel: net_ratelimit: 241160 callbacks suppressed kernel: net_ratelimit...

www.snbforums.com

 

[Gnome10]

Here is my old post.

Weird behavior. I haven't seen that behavior, but I didn't really deploy the speakers until about 2021. Also, I only have google homes, not google minis or hubs. The problem I'm discussing has only happened a handful of times when my router appears to have dropped all WiFi. I doubt it's the same thing your thread is discussing. Last time it happened was like 2 months ago. It's probably happened 5 times in the last 2 years. It's just particularly annoying, and alarming (at least to me), when you wake up, realize the WiFi dropped, and all WiFi channels are covered with your Google Homes broadcasting their SSIDs.