Latest in Gear

Image credit: Chris Velazco/Engadget

Google will fix Home and Chromecast bug that reveals your location

Attackers could find out where you live within a few feet.
282 Shares
Share
Tweet
Share

Sponsored Links

Chris Velazco/Engadget

Don't look now, but your Google Home speaker or Chromecast could give away your whereabouts... for a little while, that is. Google has promised a fix for an authentication vulnerability that lets attackers obtain your location using the company's devices as a conduit. While the necessary Home app on your phone normally performs most tasks through Google's cloud services, others (such as setting a device name and WiFi connection) are sent directly to the Home or Chromecast without authentication. If you use domain name system rebinding software, you can exploit this to obtain nearby wireless networks and use Google's location lookup services to obtain a position to an accuracy of a few feet.

An intruder doesn't need to be connected to your local network -- they just need to prompt you to open a link while you're connected to the same network as one of Google's affected devices. You also need to keep that link open for roughly a minute (the amount of time it takes to get a location), but that's not necessarily difficult if there's enough content to distract the target.

The fix is expected to arrive in mid-July. In the meantime, though, there's a risk this could be used to add seeming legitimacy to phishing and extortion campaigns. A scammer could target you by focusing on your exact address or neighborhood, for instance, while a blackmailer could find out where you live and use that as part of a threat to release private info. No matter what, this is a reminder that smart home gadgets still have a long way to go before they're truly secure. You have to assume that even mildly sensitive info transmitted in the clear can serve as an avenue for attack, and Google has learned that lesson the hard way.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
282 Shares
Share
Tweet
Share

Popular on Engadget

The $35 Raspberry Pi 4 now comes with double the RAM

The $35 Raspberry Pi 4 now comes with double the RAM

View
Daisy is a tiny $29 computer for building custom musical instruments

Daisy is a tiny $29 computer for building custom musical instruments

View
FCC begins collecting data to help carriers replace Huawei and ZTE hardware

FCC begins collecting data to help carriers replace Huawei and ZTE hardware

View
Volkswagen's 2021 GTI adds a hybrid powertrain and tech-filled interior

Volkswagen's 2021 GTI adds a hybrid powertrain and tech-filled interior

View
Google Earth finally works on Firefox, Edge and Opera browsers

Google Earth finally works on Firefox, Edge and Opera browsers

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr