Over the past few years, Google has made great strides in the hardware field, and its two most popular by far have been the Chromecast, and Google Home. These devices are truly nothing short of fantastic, but they aren’t perfect. Some massive bugs have plagued the devices in the past, and now it’s been discovered that a bug could have been revealing your physical location.

The best gifts for Android users

Earlier this year, a researcher by the name of Craig Young discovered an authentication “weakness” within the software of Google Home and Chromecast devices. When exploited, that weakness can reveal your specific location accurate to within a few feet by Google’s geolocation lookup services. How does it all work? Young explains (via KrebsOnSecurity):

An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device. The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.

To be clear, this isn’t an exploit that requires the attacker to be on the same network as you. It simply requires that you click a link and leave that page open for about a minute to actually obtain the location data. Given enough content on the page, that’s not too tall an order.

While attackers can more easily obtain location data through less complicated means such as your IP address, that information is not very precise. What makes this security hole a bit more alarming is the fact that Google’s geolocation data is incredibly accurate. Young says that basic IP location data can only track him to within 2 or 3 miles, but exploiting this weakness, he was able to track himself within 10 meters (33 feet) consistently. An example of this is seen in the video below.

Young further brings out the possible uses this sort of attack may have, saying that the implications are “quite broad.” For example, this sort of specific location data could easily be used in “blackmail or extortion campaigns,” potentially making them more effective by giving more credibility to the threat.

Google originally marked this issue as intended behavior when Young reached out in May, but the company has since changed its position. Now, the company plans to push an update to Google Home and Chromecast devices in mid-July which should fix the problem.

In the meantime, Young offers a temporary solution for those who want to protect themselves.

A much easier solution is to add another router on the network specifically for connected devices. By connecting the WAN port of the new router to an open LAN port on the existing router, attacker code running on the main network will not have a path to abuse those connected devices. Although this does not by default prevent attacks from the IoT devices to the main network, it is likely that most naïve attacks would fail to even recognize that there is another network to attack.

About the Author