Google to Fix Precise Location Data Leak in Google Home, Chromecast

Brian Krebs:

Craig Young, a researcher with security firm Tripwire, said he discovered an authentication weakness that leaks incredibly accurate location information about users of both the smart speaker and home assistant Google Home, and Chromecast, a small electronic device that makes it simple to stream TV shows, movies and games to a digital television or monitor.

Young said the attack works by asking the Google device for a list of nearby wireless networks and then sending that list to Google’s geolocation lookup services.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

Young is getting location data accurate to within 10 meters from his exploit. All you have to do to be exposed is open a web page and leave it open for a minute. This is the common sense fear of this whole Internet of Things movement: that these devices we’re putting on our networks aren’t secure, even the ones from big companies like Google.

(I would also argue that it’s wrong that JavaScript running on a web page is able to ping devices on your local network without any sort of prompt granting it such access.)

Monday, 18 June 2018