Location data leak in Google Home, Chromecast is being patched

Shawn Knight

Posts: 12,916   +125
Staff member

A recently discovered authentication weakness impacting Google Home and Chromecast devices could make it trivially easy for an attacker to pinpoint your location.

Tripwire researcher Craig Young stumbled across the weakness while creating a lab exercise to demonstrate how a website can identify and take control of screens or speakers on a local network.

It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things like setting the device name and Wi-Fi connection are sent directly to the device without any form of authentication.

The trick, Young said, is made possible my analyzing signal strengths for surrounding Wi-Fi networks and then triangulating a position based on mapped Wi-Fi access points.

The difference between this method and basic IP geolocation, he notes, is precision. In testing, he can get to around a two mile radius when using his IP address but with the attack demo, Young was consistently getting locations within about 10 meters of the device.

Young said the attack worked for him in Windows, macOS and Linux using either Chrome or Firefox.

Young first contacted Google about the vulnerability in May but didn’t get very far, only receiving a reply to his report with a “Status: Won’t Fix (Intended Behavior)” message. It wasn’t until Krebs on Security got involved that Google changed its tune.

The search giant is planning to release a patch to address the matter in mid-July, Krebs reports.

Permalink to story.