UPDATED 21:24 EDT / JUNE 18 2018

EMERGING TECH

Google Home and Chromecast vulnerability allows hackers to obtain location data

Google LLC is promising to issue a fix within weeks for an authentication issue within its Google Home speakers and Chromecast devices that lets hackers easily obtain the home address of a user.

Discovered by Craig Young, a researcher with security firm Tripwire Inc., the vulnerability exploits a loophole in Google’s systems to cross-check a list of nearby wireless networks relative to the given device with Google’s geolocation look-up services.

That could allow a would-be hacker to triangulate the location of the given target, exposing users of the device to having their physical location identified.

Somewhat oddly for a vulnerability, hackers do not need to obtain access to one of the Google devices immediately. The exploit can be served via a website being viewed on a computer or smartphone on the network, with the code then scanning for the Google devices to identify the victim.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

The good news is that at the moment, Young has only disclosed that it’s possible and provided a proof-of-concept, meaning that there are no known examples of the exploit being used in the wild before. That said, it soon could be.

Beyond privacy issues relating to a Chromecast or Google Home leaking a user’s precise geographic location, Young noted that the bug could help scammers make phishing and extortion attacks appear more realistic. “Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google’s location data to lend credibility to the fake warnings,” Young warned.

Photo: Duncan Riley

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU