The adoption of smart devices in our homes is growing, and a new report says that if you’re using a Google Home, or even a Chromecast those devices can give someone looking, quite accurate location data.
The report from Craig Young, a researcher with security firm Tripwire, says that the vulnerability stems from an authentication issue on the devices. Young said that because devices rarely require authentication for connections received on a local network, an attacker who gains access is able to request a list of nearby wireless networks from a Chromecast or Google Home on a network, and then send a request with that information to Google’s geolocation lookup services.
In an interview with website Krebs on Security, Young told them
An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device. The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.
The good news is that Google is working on a fix for this – although they almost weren’t with Young saying that when he first reported the issue to Google in May, the bug report was marked as ‘Won’t Fix (Intended Behavior)’. Google has since re-considered and has advised that there will be an update to fix the issue coming next month.
At this stage the vulnerability doesn’t appear to have been used in the wild, but Young does recommend that any IoT devices on your network be on a separate network to your computer.