A serious privacy issue has surfaced on Google Home and Chromecast devices. A security researcher has recently reported the two devices to leak location details to websites, due to an authentication weakness. The attack works by asking the device a list of Wi-Fi networks around it and then cross checking that list with Google’s geolocation lookup services.
KrebsOnSecurity stated Craig Young, a researcher with security firm Tripwire, to be the first one to report the problem. The website mentions that attackers can get access to user location by simply asking the devices for nearby Wi-Fi networks. It’s easy to obtain, as both of the devices do not require any authentication for requests coming from other devices on your local network.
Young mentions in the report that an attacker can obtain the details by getting the user to click on a link, while being connected to the same Wi-Fi network or wired network as the Google Home or Chromecast. The links need to be open for a minute, which leads Young to believe that the attacking content could be embedded in an advertisement or even a tweet.
Once the list is obtained, the attacker could simply feed the information to Google’s locations services in order to get a precise location of the user. For those who are unaware, Google’s Geolocation data includes detailed maps of wireless networks around the world. The location obtained using this is far more accurate than the one obtained through IP geolocation. In a test performed by Young, he stated that he could tell how far apart his device in the kitchen was from another device placed in the basement. Young said that he was consistently getting a location accuracy of 10 meters.
While that makes the issue more serious, Young claims that it is not just limited to having your location leaked. Having that kind of information could make phishing and extortion attacks seem more realistic. Attackers could threaten to release compromising photos or expose some secret to friends and family, based on the credibility of having the user’s location data.
Watch: Amazon Echo Spot First Look
While the issue was overlooked by Google the first time Young reported it, the company is currently working on a fix, thanks to the additional push from other researchers who noticed it as well. Google plans on releasing a software patch in mid-July. Till then Young recommends disconnecting the device or being weary of the websites and applications loaded while being on the same network as their connected devices.