Location data leak in Google Home, Chromecast is being patched

Joanna Estrada
June 19, 2018

The link would then need to stay open for around a minute.

While attackers can more easily obtain location data through less complicated means such as your IP address, that information is not very precise.

"Ive been consistently getting locations within about 10 meters of the device". In his own testing, Young said the data he pulled accurately pinpointed his house.

Google initially didn't pay heed to Young's findings, but after another security researcher raised the issue with them, the company woke up to the problem, and said it will be fixed in an update coming next month.

The implication of this vulnerability doesn't limit to location data leak.

Young created a video of the exploit in action, which has been successful in three environments and gleaned a precise street address on each occasion. Using Google's location services, the nearby networks resolve into a physical location.

He added: "The Wi-Fi based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people's phones".

In addition to allowing criminals to physically track down devices and potentially arming an attacker with geo-data that can be used to craft more believable phishing or extortion messages, it also allows a third party to correlate who shares the household.

The location exploit is risky, as Young explains "The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns", he said. “Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success, ” he said. But upon being contacted by Krebs on Security, the company said it would fix the issue through an update scheduled for release in July.

In the researcher's proof of concept, a URL is opened on a computer connected to a Wi-Fi network that's also connected to a Google Home or Chromecast device.

Earlier this year, KrebsOnSecurity posted some basic rules for securing your various "Internet of Things" (IoT) devices.

Do you think we've moved too fast with IoT devices? "By connecting the WAN port of the new router to an open LAN port on the existing router, attacker code running on the main network will not have a path to abuse those connected devices".

The only way to completely mitigate the risk of being tracked by these kinds of devices is to disconnect them, according to Young, although using professional network segmentation or a separate router for connected smart-home items can help thwart attacks.

Other reports by Click Lancashire

Discuss This Article