Google Home, Chromecast Can Tell Bad Guys Where You Live
Your Google Home or Google Chromecast device might give away your location to malicious hackers, a security researcher has found. Google is working to fix this, but the patch might not be ready until next month.
Credit: GoogleCraig Young, a researcher at Tripwire, explained in a blog post today (June 18) that a technique called DNS rebinding lets a malicious website, or even a malicious ad, get access to devices on a user's home network.
From there, the malicious site can get a list of the Wi-Fi networks that a Google Home or Chromecast devices "sees," and use Google Maps' hotspot-triangulation function to determine where on Earth the Google device is located.
"I’ve been consistently getting locations within about 10 meters of the device," Young told independent security blogger Brian Krebs, who got an exclusive first look at Young's findings.
What to Do
You can't insulate Google Home or Chromecast from this without a firmware update from Google, Young explained. But you can minimize your risk by segmenting your home network and putting smart-home devices on a separate network from your PCs.
If your router permits you to create a guest network, do so and move all your smart-home devices, including any Chromecasts or Google Home devices, to it. Keep your PCs and printers on the primary network.
The Google Maps Connection
Google has been cataloguing the locations of Wi-Fi hotspots around the world for years. Sometimes it uses StreetView cars to pick up Wi-Fi signals as they drive down residential streets. Sometimes it uses data from Android smartphones that happen to have both Wi-Fi and GPS turned on at the same time.
All this is done to aid the accuracy of Google Maps and targeted ads based on location. But it has the side effect of being a very effective geolocation tool.
Why This Is Bad
So what, you ask? Of course Google knows where I am if I have a Chromecast or a Google Home device! The problem, though, is that Young's method of attack demonstrates that malicious hackers and criminals can find out what Google knows.
That could lead to all sorts of scams. If Boris Badenov the Russian cybercriminal knows that you live at 1313 Mockingbird Lane, then Boris can send you an email or make a phone call to you pretending to be your neighbor up the street at 1325 Mockingbird Lane — and that he'd seen you do something illegal and wants money to stay silent.
Or Boris could pretend to be the FBI and say that the Bureau had detected downloading of illegal pornography taking place at 1313 Mockingbird Lane, and that you are facing a big fine, which you can conveniently pay through Bitcoin.
Young posted a video on YouTube showing how a malicious website (actually a file on one of his own machines) found at least two Google devices on his home network, then extracted information about Wi-Fi networks near them to determine that Young was in an Atlanta suburb.
Google Drags Its Feet
Young told Krebs that he contacted Google about this problem in May, and that the company said that this wasn't actually a problem. Google changed its mind after Krebs reached out to it, and now plans to have fixes ready by mid-July.