Research has shown that Google’s two most popular smart home products are leaking precise location data, revealing their whereabouts.
Craig Young, a researcher at security firm Tripwire, discovered that the security flaws in Google Home and TV streaming device Chromecast are exposed when an attacker asks the Google device for a list of nearby wireless networks. That list can then be sent to Google’s geolocation lookup services.
“An attacker can be completely remote, as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young said to KrebsOnSecurity.
“The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”
Google’s location flaw a result of its own precision
Many websites keep track of visitors’ IP addresses, which can be used alongside geolocation tools to provide information on the hometown or region of each visitor. This capability is handy from an analytics perspective, particularly with online advertisers keen to know as much as possible about audience demographics.
However, Google’s geolocation data typically goes much further than that. The search giant has access to detailed maps of wireless network environments around the world, and is able to join the dots to pinpoint IP locations. User locations can be triangulated by bouncing off multiple Wi-Fi access points mapped nearby.
“The difference between this and a basic IP geolocation is the level of precision,” explained Young.
“For example, if I geolocate my IP address right now, I get a location that is roughly two miles from my current location at work. For my home Internet connection, the IP geolocation is only accurate to about three miles. With my attack demo however, I’ve been consistently getting locations within about 10 meters of the device.”
Young has suggested that the leaking of location data is symptomatic of a wider security flaw, which could be exploited for phishing attacks and extortion attempts. The bug could also be used to add credibility to common scams.
“The implications of this are quite broad, including the possibility for more effective blackmail or extortion campaigns,” he said. “Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”
Internet of Business says
Google has confirmed plans to update both affected devices by the middle of next month. But that may do little to allay consumers’ fears that their smart home devices – although pioneering and the next step in convenience – are prone to cybersecurity vulnerabilities.
Findings published yesterday by programmer Brannon Dorsey show that IoT security frailties extend beyond Google’s product ecosystem. Dorsey found DNS rebinding vulnerabilities – a type of network attack that’s been around for more than a decade – in Google’s smart home products, Sonos’ Wi-Fi speakers, smart thermostats, and streaming devices from Roku.
During experimental probing, he discovered that it was possible to restart IoT devices at will and extract private network data. Roko and Sonos are already developing patches to fix the issue.