Google Home and Chromecast Expose Location Data

Google Home and Chromecast Expose Location Data

One of the consequences of constant connectivity is that the connected devices people use are vulnerable to attacks, which can expose not only personal but also location data, as a researcher from cybersecurity firm Tripwire recently discovered.

A new attack against popular home devices Google Home and Chromecast revealed a privacy issue: The devices can be used to find out where people live.

In an 18 June post, researcher Craig Young detailed how he used a technique called DNS rebinding to achieve code execution, allowing him to pinpoint precise locations of Google Home and Chromecast devices just by getting their users to open a website.

DNS rebinding uses a web browser to find devices on a user's network, a revelation that even surprised Young when he found not only that this attack is possible but also that Google was aware of the problem and had done nothing.

“It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things like setting the device name and WiFi connection are sent directly to the device without any form of authentication,” Young said.

The discovery presents both a privacy and a safety issue for users that browse the web from the same Wi-Fi as a Google Home or Chromecast because it opens up the possibility of cyber-stalking. A website’s operator can learn a user’s location, which makes it possible for a predator to physically stalk a victim in the real world.

Moreover, Young believes it's important for users of these kinds of devices to understand the broader implications and risks of this new attack, as there is the "possibility of more effective blackmail or extortion campaigns. Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”

As a method of mitigating exposure, Young said he has at least three distinct networks in his home at any given time so that if he is surfing the web on his main network, “a rogue website or app would not be able to find or connect to my devices. When using Chromecast, I need to then either switch networks temporarily or else use the sometimes glitchy ‘Guest Mode.’”

Source: Information Security Magazine