Craig Young, an IT security expert from Tripwire has found an unusual and potentially dangerous privacy flaw in Google Home and Chromecast devices leaking location data of their users.
Simply put, the issue lets websites gather exact geographical location of users by running malicious scripts. Google, on the other hand, is aware of the issue and vows to fix it in the next few weeks.
According to Young, The flaw poses a massive privacy risk to users since attackers can access exact location of the device, unlike an IP address which does not show the precise location of the user.
The malfunction is related to the method used by these devices to interact with the wireless networks located nearby without any type of authentication such as assigning a new name to the devices or configuring a WiFi network.
For example, if an attacker decides to exploit the flaw they do not have to be physically nearby the user. It only requires the victim to keep the site open for about a minute while they are connected to the same network as Chromecast or Google Home.
See: Popular Chrome VPN extensions are leaking your DNS data
“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Chromecast or Google Home Home device,” Young told Brain Kreb of Kreb onSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”
“I’ve only tested this in three environments so far, but in each case, the location corresponds to the right street address,” Young said. “The Wi-Fi-based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people’s phones.”
Watch the demonstration below:
When Young contacted Google in May this year, the company did not pay any attention to the issue however when journalist Kreb reached Google it assured that the flaw will be fixed in the next few weeks.
According to Google, millions of users around the world are using Chromecast and Google Home devices that means millions of devices are currently vulnerable to this flaw while they are being used by people at home and businesses respectively – Let’s hope Google is truly serious about fixing the flaw.
This is not the first time when Google Home has made headlines for all the wrong reasons. Previously, Google Home Mini was found secretly recording user conversations due to “Flawed Touch Panel.”
See: Google collects Android location data even if location service is off