Latest in Gear

Image credit: Chris Velazco/Engadget

Google will fix Home and Chromecast bug that reveals your location

Attackers could find out where you live within a few feet.
282 Shares
Share
Tweet
Share
Save

Sponsored Links

Chris Velazco/Engadget

Don't look now, but your Google Home speaker or Chromecast could give away your whereabouts... for a little while, that is. Google has promised a fix for an authentication vulnerability that lets attackers obtain your location using the company's devices as a conduit. While the necessary Home app on your phone normally performs most tasks through Google's cloud services, others (such as setting a device name and WiFi connection) are sent directly to the Home or Chromecast without authentication. If you use domain name system rebinding software, you can exploit this to obtain nearby wireless networks and use Google's location lookup services to obtain a position to an accuracy of a few feet.

An intruder doesn't need to be connected to your local network -- they just need to prompt you to open a link while you're connected to the same network as one of Google's affected devices. You also need to keep that link open for roughly a minute (the amount of time it takes to get a location), but that's not necessarily difficult if there's enough content to distract the target.

The fix is expected to arrive in mid-July. In the meantime, though, there's a risk this could be used to add seeming legitimacy to phishing and extortion campaigns. A scammer could target you by focusing on your exact address or neighborhood, for instance, while a blackmailer could find out where you live and use that as part of a threat to release private info. No matter what, this is a reminder that smart home gadgets still have a long way to go before they're truly secure. You have to assume that even mildly sensitive info transmitted in the clear can serve as an avenue for attack, and Google has learned that lesson the hard way.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
282 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Three Mile Island's infamous nuclear plant shuts down after 45 years

Three Mile Island's infamous nuclear plant shuts down after 45 years

View
Samsung asks users to be extra careful with the Galaxy Fold

Samsung asks users to be extra careful with the Galaxy Fold

View
Uber sues NYC over vehicle caps

Uber sues NYC over vehicle caps

View
Australia will help NASA go to the Moon and Mars

Australia will help NASA go to the Moon and Mars

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr