Precise Location Data Leak Found in Google Home and Chromecast Devices

Joanna Estrada
June 19, 2018

This is allowed by Google's "Find my Phone" feature for all its hardware - including Google Home and Chromecast devices.

Your Google Home or Google Chromecast device might give away your location to malicious hackers, a security researcher has found. Google is working to fix this, but the patch might not be ready until next month.

To demonstrate the threat, Young created a website that can sniff out location data from the Google products if a visitor remains on the page for about a minute.

'The attack content could be contained within malicious advertisements or even a tweet'. For my home Internet connection, the IP geolocation is only accurate to about 3 miles.

What makes the vulnerability disturbing is how precise the location data can be, even without any access to Global Positioning System identifiers. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically.

Mr Young found he could access router location data stored on a Home or Chromecast gadget via a computer connected to the same network. Armed with this data, Google can very often determine a user's location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points.

The difference between this method and basic IP geolocation, he notes, is precision. In testing, he can get to around a two mile radius when using his IP address but with the attack demo, Young was consistently getting locations within about 10 meters of the device.

Google has reportedly promised to fix a vulnerability in its Chromecast devices and Google Home speakers that could let attackers discover the location of users. Once the list is received, the victim's precise location can easily be obtained by feeding the list to Google's location services. Common scams like fake Federal Bureau of Investigation or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google's location data to lend credibility to the fake warnings, Young notes.

Young pointed out that the attack opens up the possibility of more realistic phishing or extortion attempts. “Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success, ” he said.

Google originally marked this issue as intended behavior when Young reached out in May, but the company has since changed its position. Said update is suggested to be coming in mid-July of 2018.

The issue is that Home and Chromecasts don't require authentication for commands that come over your local network.

"The confluence of these properties means that web browsers and, therefore, websites can sometimes interact with network devices", Young explained in a blog post on Monday. Users should also be mindful of what websites or apps are loaded while on the same network as the devices.

Do you think we've moved too fast with IoT devices?

"A much easier solution is to add another router on the network specifically for connected devices", Young wrote.

The attack can be done remotely as long as the victim is connected to the same network as the device.

Other reports by Click Lancashire

Discuss This Article