The Google Home and Chromecast are two of best products from Mountain View in recent times. But as with most IoT products, there are a lot of security issues here too. New reports are pointing to a major privacy breach in both devices.
As reported by security reporter Brian Krebs, there happens to be a bug in Google Home and Chromecast that lets websites collect precise user location data. The bug, disclosed by researcher Craig Young at security firm Tripwire, works by exploiting a loophole in Google’s systems to cross-check a list of nearby wireless networks with Google’s precise geolocation lookup services.
Basically, by using the location gleaned by nearby Wi-Fi networks through a Google Home or Chromecast, a malicious website can triangulate a user’s location. Add to that the fact that these devices hardly require any authentication, any third party could have access to one’s personal address in no time.
According to Krebs, this is how Google’s geolocation data gives it the ability to “determine a user’s location to within a few feet” and differs greatly from your standard IP-based geolocation:
It is common for websites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor’s hometown or region. But this type of location information is often quite imprecise. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically.
This is typically not the case with Google’s geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location. Armed with this data, Google can very often determine a user’s location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points.
Compared to IP-based geolocation, which is only accurate to about two to three miles around the device, the method using Google’s data is precise to about 30 feet. Young even demonstrated the bug in action, as can be seen in the video below:
Once Krebs had made it clear to the company that he was planning to write about the exploit, Google had only then agreed to roll out a fix for it. Additionally, Young had previously contacted Google, but the company considered the geolocation issue an “intended behavior.”
The fix for the aforementioned bug in Google Home and Chromecast is expected to arrive sometime in the middle of July.