Advertisement

Google will fix Home and Chromecast bug that reveals your location

Attackers could find out where you live within a few feet.

Don't look now, but your Google Home speaker or Chromecast could give away your whereabouts... for a little while, that is. Google has promised a fix for an authentication vulnerability that lets attackers obtain your location using the company's devices as a conduit. While the necessary Home app on your phone normally performs most tasks through Google's cloud services, others (such as setting a device name and WiFi connection) are sent directly to the Home or Chromecast without authentication. If you use domain name system rebinding software, you can exploit this to obtain nearby wireless networks and use Google's location lookup services to obtain a position to an accuracy of a few feet.

An intruder doesn't need to be connected to your local network -- they just need to prompt you to open a link while you're connected to the same network as one of Google's affected devices. You also need to keep that link open for roughly a minute (the amount of time it takes to get a location), but that's not necessarily difficult if there's enough content to distract the target.

The fix is expected to arrive in mid-July. In the meantime, though, there's a risk this could be used to add seeming legitimacy to phishing and extortion campaigns. A scammer could target you by focusing on your exact address or neighborhood, for instance, while a blackmailer could find out where you live and use that as part of a threat to release private info. No matter what, this is a reminder that smart home gadgets still have a long way to go before they're truly secure. You have to assume that even mildly sensitive info transmitted in the clear can serve as an avenue for attack, and Google has learned that lesson the hard way.