Google is working to fix a bug in its Google Home and Chromecast gadgets, that allows a malicious website to obtain precious data on the location of users, as confirmed by the company. The vulnerability was reported Tuesday by investigator Craig Young and security specialist Brian Krebs.
According to Young, an employee of the security firm Tripwire, an attacker could use a loophole in the Google’s systems to check a list of nearby wireless networks against Google geolocation search services.
After that, by performing a triangulation, it would determine a location with a margin of error of just a few meters.
Nearby wifi networks and Google’s geolocation would be key
The attack would work by asking Google Home or Chromecast for a list of nearby wifi networks and then sending that list to the company’s own location services. All this would be possible as long as the victim accesses a specified link while connected to the same wifi network as Google’s devices or the connection to them is via cable.
The content of the attack, which could be found in both malicious advertisements and even in a tweet according to the researcher, would be able to triangulate a user’s location. The key to everything is, explains Young, in the geolocation through wifi networks, similar to what Android does with mobile phone antennas.
Also, in his opinion, knowing this information could help an attacker to carry out more effective extortion or blackmail campaigns.
Google will patch the bug in Google Home and Chromecast in a few weeks
In addition to providing video evidence of one of these attacks, the expert explains that testing Google’s location capabilities over wifi networks is as comfortable as turning off a terminal’s location data, removing its SIM card and seeing how navigation applications like Waze continue to display the location of the device correctly.
However, this is not a problem that concerns Google alone but is shared with the other companies responsible for devices that are part of the Internet of things. That’s what Young thinks, at least.
Google will roll out patches to fix this bug in its Google Home and Chromecast in a few weeks.