Recent research into the security of Internet of Things (IoT) devices has uncovered an authentication vulnerability with the Google Home and Chromecast. By exploiting this vulnerability, an attacker can obtain the user’s geographical location, accurate to a 15-foot radius.
Security Researcher Craig Young, who found the vulnerability, explains that the exploit requires the user to be on the same network as a Google IoT device and stay connected to a malicious webpage for approximately 1 minute. In this time, the malicious webpage queries the Google Home or Chromecast device for all nearby wireless network devices and uses the retrieved Google geolocation data to triangulate the position of the victim.
Craig Young stated that “The attack content could be contained within malicious advertisements or even a tweet” giving the attacker enough time to retrieve your location while you unknowingly view your twitter feed, read an article or do your online shopping.
The reason this type of attack is so accurate comes down to the way Google uses their geolocation data. Unlike geolocation using IP addresses, where results are only usually accurate down to a town or region, Google creates a map of wireless hotspots by collecting information from android devices with Wi-Fi search and GPS enabled. As users walk by or connect to Wi-Fi hotpots, they can retrieve information such as the Service Set Identifier (SSID) and the router’s MAC (Media Access Control) address. While this happens, Google will collect the phone’s GPS location at the time to generate an approximate location for that router.
Fortunately, Google have acknowledged the issue and will be releasing a patch sometime in the middle of July to resolve it. If you own a Google IoT device, be sure to update it when this patch is released!