In the coming weeks, Google Chromecast and Google Home devices around the world will be quietly updated to address a serious security bug, which reveals a user's location data.
Security reporter Brian Krebs publicly reported the vulnerability, which was first disclosed by Tripwire security researcher Craig Young.
The issue stems from the fact that Chromecast and Home devices don't require authentication for commands facilitated within a local network. The attack exploits DNS rebinding to communicate with the aforementioned devices, appearing as harmless local requests. This way, the attacker acquires a list of nearby Wi-Fi networks. Then taking advantage of Google's location services, the attacker can triangulate a user's precise location.
How An Attacker Can Get Your Location Data Via Chromecast Or Google Home
Below, Krebs explains how Google's geolocation data lends an attacker the opportunity to seize a user's location:
"It is common for websites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor's hometown or region." However, this kind of location data is typically imprecise, he says, to the point where IP geolocation can only offer a generalized idea of where an IP address may be located.
That, however, isn't the case with Google's own geolocation data, which includes sophisticated maps of wireless networks globally, associating Wi-Fi networks to physical locations.
"Armed with this data, Google can very often determine a user's location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points."
When Is The Fix Coming?
When Young reported the vulnerability to Google in May, a developer closed the report without a fix, marking it as "intended behavior." When Krebs reached out to Google and said he intends to write a report about it, the company agreed to work on a patch.
The fix will arrive sometime in the middle of July. So far, there's been no evidence suggesting this attack is being used in the wild. Even still, Young says internet-of-things devices should be under a separate network from one's computer.
"The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns," says Young. "Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success."
