UPDATED 21:24 EDT / JUNE 18 2018

EMERGING TECH

Google Home and Chromecast vulnerability allows hackers to obtain location data

Google LLC is promising to issue a fix within weeks for an authentication issue within its Google Home speakers and Chromecast devices that lets hackers easily obtain the home address of a user.

Discovered by Craig Young, a researcher with security firm Tripwire Inc., the vulnerability exploits a loophole in Google’s systems to cross-check a list of nearby wireless networks relative to the given device with Google’s geolocation look-up services.

That could allow a would-be hacker to triangulate the location of the given target, exposing users of the device to having their physical location identified.

Somewhat oddly for a vulnerability, hackers do not need to obtain access to one of the Google devices immediately. The exploit can be served via a website being viewed on a computer or smartphone on the network, with the code then scanning for the Google devices to identify the victim.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

The good news is that at the moment, Young has only disclosed that it’s possible and provided a proof-of-concept, meaning that there are no known examples of the exploit being used in the wild before. That said, it soon could be.

Beyond privacy issues relating to a Chromecast or Google Home leaking a user’s precise geographic location, Young noted that the bug could help scammers make phishing and extortion attacks appear more realistic. “Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google’s location data to lend credibility to the fake warnings,” Young warned.

Photo: Duncan Riley

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.