Published: Wed, June 20, 2018
Tech | By

Google Home, Chromecast can tell bad guys where you live

Google Home, Chromecast can tell bad guys where you live

This is allowed by Google's "Find my Phone" feature for all its hardware - including Google Home and Chromecast devices. The victim would then be more likely to give in to the hacker's demands. Young noted in his post that browser extensions and mobile apps are typically allowed to query location information without the user being notified about it.

The issue was identified by Tripwire VERT's Craig Young earlier this month and reported to Google well in advance of any public release.

"Ive been consistently getting locations within about 10 meters of the device". Using Google's location services, the nearby networks resolve into a physical location.

What makes the vulnerability disturbing is how precise the location data can be, even without any access to Global Positioning System identifiers.

In his proof of concept, a URL is opened on a computer connected to a Wi-Fi network that's also connected to a Google Home or Chromecast device. In his own testing, Young said the data he pulled accurately pinpointed his house.

Beyond leaking a Chromecast or Google Home user's precise geographic location, this bug could help scammers make phishing and extortion attacks appear more realistic.

Using the DNS rebinding software, he created a basic end-to-end attack that worked in Linux, Windows and macOS using Chrome or Firefox.


Hackers could use the technique to make scam messages - such as fake claims they have embarassing photos of you taken through your webcam - more convincing. "Common scams like fake Federal Bureau of Investigation or IRS warnings or threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success".

The researcher told KrebsOnSecurity that the hack presents a danger because it can be performed remotely from nearly any location. No matter what, this is a reminder that smart home gadgets still have a long way to go before they're truly secure.

But even as they transform our lives, they put families at risk from criminal hackers taking advantage of security flaws to gain virtual access to homes. "Commands to do things like setting the device name and WiFi connection are sent directly to the device without any form of authentication", Young said.

A security firm has found a vulnerability in Chromecast and Google Home devices that could let attackers find the location of their users.

Young told Krebs that he contacted Google about this problem in May, and that the company said that this wasn't actually a problem.

Sure, for the attack to work, an attacker would have to dupe his or her victim to click on a fraudulent link, and then keep the victim on the link for about a minute. You have to assume that even mildly sensitive info transmitted in the clear can serve as an avenue for attack, and Google has learned that lesson the hard way.

Like this: