According to security researcher Brian Krebs, Google is set to fix a location data leak in their Google Home and Chromecast devices.
The precise location data exploit was discovered by researcher Craig Young from security firm Tripwire:
“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”
What makes this exploit different from basic IP geolocations, according to Young, was the fact he was able to get precise location data down to 10 metres of his test devices:
“The difference between this and a basic IP geolocation is the level of precision,” Young said. “For example, if I geolocate my IP address right now, I get a location that is roughly 2 miles from my current location at work. For my home Internet connection, the IP geolocation is only accurate to about 3 miles. With my attack demo however, I’ve been consistently getting locations within about 10 meters of the device.”
The location exploit is dangerous, as Young explains “The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns,” he said. “Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”
Originally, when Young contacted Google for the first time this May, the company closed his bug report with the message “Status: Won’t Fix (Intended Behavior”. But when Krebs contacted Google about the location leak, the company reversed its decision to announce a software update would ship in mid-July 2018 to fix it.
A demo of the location bug in action can be seen in the video below:
One way to isolate your Internet of Things devices is to use a multi-router solution, to isolate your home network, like this method used by security researcher Steve Gibson.