There is a location privacy issue in Google Homes and Chromecast devices. New research shows that a simple script can be run by websites in the background to collect the precise location of people who have a Google Home or a Chromecast device that’s on their local network.
A researcher from security firm, Tripwire discovered the authentication weakness. The researcher said that the vulnerability works by asking the smart devices for a list of nearby wireless networks and then sending the list to Google’s geolocation lookup services.
The only limitation of the attack is that the link (or the script) needs to remain open for about a minute for the attacker to get the location.
“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device. The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet,” the researcher told KrebsOnSecurity that ultimately informed Google to take action on it.
Wi-Fi location data is much more precise than location info retreived from IP addresses. Websites usually keep a track of IP addresses of visitors and those addresses can be used to loosely locate the visitor. It isn’t precise unlike Wi-Fi addresses. Google maintains a comprehensive map of wireless network names around the world. It links individual Wi-Fi addresses to its corresponding physical location. More often than not, Google’s methods can lock down location to within a few feet, even in a densely populated area.
Google does so by triangulating the user between nearby mapped Wi-Fi access points. You can easily see this in action by turning off mobile data and removing the SIM and running Google Maps with Wi-Fi on.
The bug can be exploited to steal other data as well. Scammers can make phishing attacks more realistic. Hackers can threaten to release compromising photos and expose secrets to friends and family and use the location data to make the fake claims more credible.
Google initially replied to the researcher saying that the feature was intentional. As a response to the bug report, Google replied “Status Won’t Fix (Intended Behaviour)” but after being contacted by the security firm, Google changed its stance and said it is planning to roll out an update to address the bug in both devices. The update will roll out in mid-July 2018.