In the coming weeks, Google plans to fix a bug in two of its most popular devices -- the Google Home and Chromecast. New research found that websites can run a simple script in the background of the devices that collects precise data location when installed on a user’s private network.
The Google Home serves as both a smart speaker and a home assistant, while the Chromecast is a small electronic device that streams TV shows, movies, and games to a television or monitor.
According to Tripwire’s Chris Young, there is an authentication weakness that leaks users’ location information that he found to be incredibly accurate. Young says the attacker will ask Google for a list of nearby wireless networks and then send that list to Google’s geolocation lookup services.
“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wifi or wired network as a Google Chromecast or Home device,” Young said. “The only real limitation is that the link needs to remain open for about a minute before the attacker has the location. The attack content could be contained within malicious advertisements or even a tweet.”
How an attacker can get your location
Security reporter Brian Krebs explained how Google’s geolocation services can enable an attacker to seize a user’s location.
“It is common for websites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor’s hometown or region,” Krebs said.
Krebs noted this kind of data typically doesn’t produce the most precise results; however, that isn’t the case with Google’s geolocation data, which includes sophisticated maps of wireless networks globally that associates Wifi networks with physical locations.
“Armed with this data, Google can very often determine a user’s location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wifi access points.”
When the bug will be fixed
A developer closed the bug issue shortly after Young found it in May, with it being marked as an “intended behavior.” However, when Krebs told Google he’d be writing a report on the issue, the company agreed to work on a fix.
The company says the issue should be fixed by sometime in July.
“The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns,” Young said. “Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility and increase their odds of success.”