A security report from KrebsOnSecurity has revealed that Google will fix a bug discovered in its Home smart speaker and Chromecast TV streaming device which allows an attacker to run a script on a website and once a user of any of the mentioned device clicks on the link, it collects precise location data of the user.
Craig Young, a researcher with security firm Tripwire, made the discovery as he found out that an “authentication weakness” gives away accurate location information about users who own a Google Home and Chromecast device. The attacker uses Google’s geolocation lookup services to reveal a user’s precise location.
An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device. The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.
Websites track visitors’ numeric Internet Protocol (IP) address by keeping a record of them and later use those addresses alongside an online geolocation tools to get visitors information. This method may result to inaccurate information. What makes this bug on Google Home or Chromecast exploited by an attacker alarming is that Google’s geolocation data is amazingly accurate.
Young further said that:
Beyond leaking a Chromecast or Google Home user’s precise geographic location, this bug could help scammers make phishing and extortion attacks appear more realistic. Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google’s location data to lend credibility to the fake warnings.
While a patch will be released by Google to fix the bug in mid-July 2018, Young has offered a temporary solution for users to protect themselves.
A much easier solution is to add another router on the network specifically for connected devices. By connecting the WAN port of the new router to an open LAN port on the existing router, attacker code running on the main network will not have a path to abuse those connected devices. Although this does not by default prevent attacks from the IoT devices to the main network, it is likely that most naïve attacks would fail to even recognize that there is another network to attack.
Watch the video below to see Young demonstrate the bug in action: