Breaking Google Nest Hub Secure Boot


[frederic] tells the story of their team hacking a Google Nest Hub (2nd Gen) – running Ubuntu on it, bypassing Google’s boot image signature verifications. As with many good hacks, it starts with images from the FCC website. In reverse engineering a charger and USB daughterboard pinout, they found a UART connection and broke it with a custom adapter. With a debug console and process information, they continued hacking, hacking hardware and software until it was all done.

This story gives a lot of context and insight into both the code that was studied and how the attack targets were chosen. Using fuzzing, they found a buffer overflow in the boot loader code that could be triggered using a non-standard block size. USB flash drives tend to have them hard coded so they created special firmware for a Pi Pico and soon after realized the code execution. Then they logged into uboot functions and loaded Ubuntu, bypassing the boot image signature checks.

This is a wonderful documentation of a hacking journey and an exciting read to boot (pun intended). The bug seems to have been fixed for six months now, so you probably can’t flash your Google Nest on Ubuntu anymore. However, you may be able to run up-to-date Linux on your Amazon Echo.

We thank [Sven] to share this with us!


Comments are closed.