A security researcher has discovered that Google Home and Google Chromecast can leak their precise physical location. It's also possible to hijack the screen that is connected to a Google Home or Google Chromecast device.
The attack is possible because both devices can be configured through Google's Home app, that performs most of its actions using Google's cloud, but for some tasks uses a local HTTP server. If a user configures the name and Wi-Fi connection of the device, the commands are sent to the HTTP server of the device without any form of authentication. Google states users have to be logged in to their Google account, but in reality this isn't checked.
This not only allows an attacker to hijack the screen that is connected to a Google Home or Google Chromecast device, it can also be used to retrieve data from the devices, according to security researcher Craig Young from the company Tripwire. And that data can be used to determine the device's physical location with “astonishing accuracy”, Young adds.
The data is so accurate because Google has a database with Wi-Fi network networks around the world that are connected to physical location. By measuring the signal strength of Wi-Fi networks close to the user, Google can triangulate the precise location of the user.
To retrieve the location of a victim, an attacker has to trick the victim in opening a website and leave it open for at least minute in order to retrieve the exact location. Tricking a user to open a website can be done with e.g. a link in an email. It's also possible to add the malicious content in an advertisement or even a Tweet.
Google is aware of the issue and plans to release an update next month.
