Why it matters: Practical applications stemming from the bug could include the possibility for more effective extortion or blackmail campaigns and highly targeted ads (for example, an advertiser could determine if a user is at work or home and serve different ads accordingly).
A recently discovered authentication weakness impacting Google Home and Chromecast devices could make it trivially easy for an attacker to pinpoint your location.
Tripwire researcher Craig Young stumbled across the weakness while creating a lab exercise to demonstrate how a website can identify and take control of screens or speakers on a local network.
It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things like setting the device name and Wi-Fi connection are sent directly to the device without any form of authentication.
The trick, Young said, is made possible my analyzing signal strengths for surrounding Wi-Fi networks and then triangulating a position based on mapped Wi-Fi access points.
The difference between this method and basic IP geolocation, he notes, is precision. In testing, he can get to around a two mile radius when using his IP address but with the attack demo, Young was consistently getting locations within about 10 meters of the device.
Young said the attack worked for him in Windows, macOS and Linux using either Chrome or Firefox.
Young first contacted Google about the vulnerability in May but didn’t get very far, only receiving a reply to his report with a “Status: Won’t Fix (Intended Behavior)” message. It wasn’t until Krebs on Security got involved that Google changed its tune.
The search giant is planning to release a patch to address the matter in mid-July, Krebs reports.