Google Home, Chromecast bug easily leaks precise location data

By Digit NewsDesk | Updated 19 Jun 2018
Google Home, Chromecast bug easily leaks precise location data
  • Google Home and Chromecast can be exploited by a simple script to reveal precise location data of users. Google promised to release a fix by mid-July 2018.

There is a location privacy issue in Google Homes and Chromecast devices. New research shows that a simple script can be run by websites in the background to collect the precise location of people who have a Google Home or a Chromecast device that’s on their local network.

advertisements

A researcher from security firm, Tripwire discovered the authentication weakness. The researcher said that the vulnerability works by asking the smart devices for a list of nearby wireless networks and then sending the list to Google’s geolocation lookup services.

The only limitation of the attack is that the link (or the script) needs to remain open for about a minute for the attacker to get the location.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device. The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet,” the researcher told KrebsOnSecurity that ultimately informed Google to take action on it.

Wi-Fi location data is much more precise than location info retreived from IP addresses. Websites usually keep a track of IP addresses of visitors and those addresses can be used to loosely locate the visitor. It isn’t precise unlike Wi-Fi addresses. Google maintains a comprehensive map of wireless network names around the world. It links individual Wi-Fi addresses to its corresponding physical location. More often than not, Google’s methods can lock down location to within a few feet, even in a densely populated area.

advertisements

Google does so by triangulating the user between nearby mapped Wi-Fi access points. You can easily see this in action by turning off mobile data and removing the SIM and running Google Maps with Wi-Fi on.

The bug can be exploited to steal other data as well. Scammers can make phishing attacks more realistic. Hackers can threaten to release compromising photos and expose secrets to friends and family and use the location data to make the fake claims more credible.

advertisements

Google initially replied to the researcher saying that the feature was intentional. As a response to the bug report, Google replied “Status Won’t Fix (Intended Behaviour)”  but after being contacted by the security firm, Google changed its stance and said it is planning to roll out an update to address the bug in both devices. The update will roll out in mid-July 2018.

advertisements
Digit NewsDesk
The guy who answered the question 'What are you doing?' with 'Nothing'.
advertisements
ASK DIGIT

Recent Questions

Google Chromecast
CHRISTIANA JOHN
Sept 8, 2014
Responses 6
t ruth pushpalatha
Sept 8, 2014
D JAYASHEELA
Sept 8, 2014
Aditya Malpure
Sept 8, 2014
Vivek Bhatt
Sept 9, 2014
satish k
Sept 9, 2014
samuel browne
Sept 9, 2014
Comments
Be the first one to post the comment
Post a New Comment
You must be signed in to post a comment
advertisements