Google Home and Chromecast Can Reveal Precise Location

Google Home and the Chromecast have an authentication vulnerability that makes it possible to read the precise location of the devices remotely. Google is working on a fix for the vulnerability.

The vulnerability can be exploited by having a user click on a link while connected to the same network as the Google Home speaker or Chromecast player. For example, the link can be part of a tweet or advertisement. After the user clicks, the attacker can request a list of nearby Wi-Fi networks from the Home or Chromecast.

Because Google has mapped the location of wireless networks, the location of the devices can be determined precisely via the HTML5 geolocation API. For example, only a global impression of the location can be obtained via the IP address. The conditions are that the target keeps the connection to the link open for about a minute and that there are enough Wi-Fi networks in the vicinity to accurately determine the position via triangulation.

The basis of the vulnerability lies with the Home app that is used for the Home speaker and Chromecast when configuring the network settings. This requires no authentication and works via the local http server. Security firm Tripwire, which discovered the problem, deployed its DNS rebinding software for the attack.

For example, according to Krebs on Security, the attack can be exploited in phishing and extortion attempts. Google initially thought there was no problem as the service worked as intended, but eventually the company decided to update both the Home and Chromecast. This should be done in mid-July.