A security vulnerability present in Google Home and the Chromecast device was made public recently, as it presented a very accurate physical location on these devices when connected to a network. When exploited, this can give hackers a physical location which could ultimately lead to danger for users of the Google Home smart speaker and digital assistant, as well as users of the Chromecast TV streaming device. Google is apparently preparing to roll out a fix for the said vulnerability.
Craig Young, a researcher with security firm Tripwire, said that he discovered an authentication weakness that leaks an accurate location of the devices when they are connected to a network. It is common for networks to work with Internet Protocol (IP) addresses within the network, and that includes location information which is in most cases imprecise (region or area only). But with Google’s geolocation data, the accuracy is very much real. Young said the hacker can attack by asking the Google device for a list of nearby wireless networks and then sending that list to Google’s geolocation lookup services.
“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young said. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”
In the researcher’s proof of concept, a URL is opened on a computer connected to a Wi-Fi network that’s also connected to a Google Home or Chromecast device. If the URL is clicked and the webpage is kept open for around a minute, the user’s home GPS location is found – and subsequently exploited. Check out the video below.
The attack works in Linux, Windows, and macOS, just so long as the victim is using Firefox or Chrome. “Starting from a generic URL, my attack first identifies the local subnet and then scans it looking for the Google devices and registers a subdomain ID to initiate DNS rebinding on the victim,” said Young. “About a minute after the page had loaded, I was looking at my house on Google Maps.”
According to the source link below, Google is apparently planning on rolling out “an update to address the privacy leak in both devices.” The upcoming update will reportedly roll out in mid-July of 2018. So until then, be careful.