A security breach was discovered this month by a researcher with an eye on Google Home and GPS location reporting. In his proof of concept, a URL is opened on a computer connected to a Wi-Fi network that’s also connected to a Google Home or Chromecast device. If the URL is clicked and the webpage is kept open for around a minute, the user’s home GPS location is found – and subsequently exploited.
The issue was identified by Tripwire VERT’s Craig Young earlier this month and reported to Google well in advance of any public release. According to Young, the problem here is an un-authenticated view of location information for anyone connected to a targeted Wi-Fi network. This is allowed by Google’s “Find my Phone” feature for all its hardware – including Google Home and Chromecast devices.
The attack works in Linux, Windows, and macOS, just so long as the victim is using Firefox or Chrome. “Starting from a generic URL, my attack first identifies the local subnet and then scans it looking for the Google devices and registers a subdomain ID to initiate DNS rebinding on the victim,” said Young. “About a minute after the page had loaded, I was looking at my house on Google Maps.”
Above you’ll see the attack in action. Users of Google Home and Chromecast devices should be worried about this situation for its potential to do further harm. Malicious entities looking to exploit the personal information of a target can go to extreme lengths to steal or destroy a person’s assets and life once they have their physical address.
“The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns,” said Young in a Krebs on Security article. “Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”
The simplest way to reduce exposure to threats such as these is NETWORK SEGMENTATION. All this requires is a secondary router. Your internet connection to personal computers, mobile phones, etc, is hosted on one router. Your Smart Home devices, IP camera, Smart TV, Chromecast, and Google Home are connected to a second router. This method still needs just one internet connection – the routers keep the devices apart.
Krebs suggested that Google’s replied to their report on the security issue. Google is apparently planning on “shipping an update to address the privacy leak in both devices.” Said update is suggested to be coming in mid-July of 2018. Until then, courage!