This guy installed Ubuntu Linux on his Google Nest Hub
The2nd-gen Google Nest Hubis Google’s smartest smart display yet, offering sleep tracking, passable performance, and all the Assistant intelligence you could need. For all its smarts, the Nest Hub still isn’t a full computing device, though — the OS is far too limited. While Google is hard at work building aPixel tabletas an alternative, it will still take some time until it sees the light of day. In the meantime, an avid hacker has managed to turn the existing Nest Hub hardware into a device that actually runs Linux distribution Ubuntu, teaching Google some security lessons while at it.
As spotted by Mishaal Rahman, San Diego-based security researcher Frédéric Bassepublished a reporton this Nest Hub vulnerability. He details how it’s possible to exploit security loopholes in the Nest Hub’s boot process to sidestep security measures, allowing him to install a stripped-down version of Ubuntu on the device. To achieve this, he had to pry open the base of the Nest Hub, revealing a hidden USB port meant for debugging or repairs, which he connected to a USB device to boot from. A software bug in the open-source “U-Boot” bootloader allowed him to bypass secure boot, and the rest is history, as you can see in the GIF below.
In his conclusion, he makes clear that this issue shouldn’t even exist in the first place. It looks like Google relied on an older version of the open-source bootloader that still offered this exploit (which was actuallyfixed as early as 2019), and it’s also questionable whether the Nest Hub even needs a regular USB port for debugging.
The security researcher didn’t just post about this exploit willy-nilly. He initially submitted it to the2021 Pwn2Own competition, but it didn’t qualify. Shortly after he disclosed the vulnerability to Google, which then released a security update in December 2021. He then only made the exploit public in June 2022.
While it’s concerning that this vulnerability has made it into the final release of the Nest Hub, it probably won’t ever be something that will be exploited in real life. An attacker would need physical access to the device, quite some time for tinkering with it, and some way to hide all the additional hardware from view in order to use this exploit to snoop on someone. While it’s not good that this unfixed vulnerability exists, it probably isn’t too big a deal, and mostly makes for a fun hacking project rather than anything else.
It’s also clear that this is nothing but a proof of concept, given that the Nest Hub lacks the proper input options for Ubuntu and would probably feel rather cramped due to the small screen. Nevertheless, once Google decides that the Nest Hub shouldn’t be supported anymore, this exploit could allow keen tinkerers to breathe new life into the device — much like you would witha custom ROM on Android.
UPDATE: 2022/06/20 04:36 EST BY MANUEL VONAU
Fix rolling out
A Google spokesperson has confirmed to us that a fix for this vulnerability is currently rolling out.
Broader branding hints at wider paid-tier ambitions
The note-taking app I should have used all along
Google is still searching for answers
It helped me wind down before bed
PlayStation Plus subscribers of all tiers are getting access to three excellent titles, including Psychonauts 2, in September
$135 is its lowest price in months
