Google Home and Chromecast can release precise location




Google Home and the Chromecast have an authentication vulnerability that makes it possible to read the exact location of the devices remotely. Google is working on a fix for the vulnerability.

The vulnerability can be exploited by having a user click on a link while connected to the same network as the Google Home speaker or Chromecast player. For example, the link may be part of a tweet or ad. After the user clicks, the attacker can request a list of nearby Wi-Fi networks from the Home of Chromecast.

Because Google has mapped the location of wireless networks, the location of the devices can be precisely determined via the html5 geolocation api. For example, only a global impression of the location can be obtained via the IP address. The conditions are that the target keeps the connection to the link open for about one minute and there are sufficient Wi-Fi networks in the area to accurately determine the position via triangulation.

The basis of the vulnerability lies with the Home app that is used for the Home speaker and Chromecast when configuring the network settings. This does not require authentication and works via the local http server. Security bureau Tripwire, which discovered the problem, used its dns rebooting software for the attack.

According to Krebs on Security , the attack can for example be abused in phishing and extortion attempts. Google initially thought that there was no problem, because the service worked as intended, but in the end the company decided to update both the Home and the Chromecast. This must be done mid-July.


In: A Technology & Gadgets Asked By: [22618 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »