I just discovered a story about Ubuntu running on a Google Nest Hub (2nd gen).
Well, that’s definitely exciting!
So, let me tell you more about it here.
Hack Google Nest Hub to install Ubuntu
Yes, a hacking attempt made this possible.
A cyber security expert, Frederic Bassebroke secure boot on Google Nest Hub (2nd gen) and managed to run Ubuntu.
Of course, Google Nest Hub doesn’t officially support booting a custom operating system. But a vulnerability allowed Fred to use an exploit and run Ubuntu.
While that’s fun, it’s also a serious problem for an always-connected smart home display from Google.
As explained in his blog post, the hacker used a Raspberry Pi Pico microcontroller to exploit a USB bootloader flaw to break secure boot chain.
The security expert concluded:
As a result, an attacker can execute arbitrary code early in the boot phase (before kernel execution) by plugging in a malicious USB device and pressing two keys
He also made the bootloader exploit available on GitHub in case you want to experiment (suitable for security researchers).
Getting Ubuntu to work on Google Nest
The exploit allowed the attacker to boot an unsigned operating system. However, he had to make some adjustments to the pre-installed Ubuntu image, which is tailored for the Raspberry Pi (64-bit ARM).
He mentions the following:
We will create a custom U-Boot bootloader with secure boot disabled and modified boot flow to load environment from USB flash drive. We are also building a custom Linux kernel for elaine with additional drivers like USB mouse. Ubuntu’s initial ramdisk (initrd) is repackaged to include the firmware binaries required for the touchscreen. The boot image is built based on the custom Linux kernel and a modified initrd.
So it’s obvious that you won’t get a full Ubuntu experience, but thanks to the exploit we now know that Ubuntu can be run on a Google Nest as an experiment if you’re willing to break your Google Nest for the test (Tu not really!).
Smart Home Security Concern + Linux
The cybersecurity expert mentions that the vulnerability was patched upstream (twice).
But the lack of CVE may have affected the fix, which doesn’t propagate downstream, the researcher suggests.
No doubt it’s great to see Linux running on an unsupported device. So I’m wondering if we should do that to someone Commercial smart home devices running Linux?
Does something like this already exist?
Still, it’s equally concerning that smart home devices are vulnerable to simple attacks.
What do you think? Share your thoughts in the comments below.