Google's catalogue of smart home gadgets include the Google Home smart speaker range as well as the popular Chromecast streaming device. Fresh reports are now coming in that indicate Google might soon push out an update to fix a glaring bug that allows websites to easily run a script that can acquire precise location data of the user with any of these devices. As per the report, the attack is made possible by getting the victim to open a link on the same Wi-Fi network as the Google device. To track the location, however, the link will need to remain open for one minute before location can be traced back.
Content in the attack could be disguised in the form of an advertisement, tweet, or any other medium, reports KrebsOnSecurity. Notably, websites save location information in the form of IP addresses, which are not accurate enough to detect precise location information. However, Google's smart home devices link Wi-Fi networks to their corresponding physical location thanks to access to "comprehensive maps of wireless network names across the world."
"The difference between this and a basic IP geolocation is the level of precision. For example, if I geolocate my IP address right now, I get a location that is roughly 2 miles from my current location at work. For my home Internet connection, the IP geolocation is only accurate to about 3 miles. With my attack demo however, I've been consistently getting locations within about 10 meters of the device," said Craig Young, a researcher with security firm Tripwire.
The researcher also notes that this kind of a bug could give the much-needed authenticity and credibility to phishing and extortion scams by letting the attacker know the precise location of the victim. Initially, Young states that Google had ignored his bug report with a "Status: Won't Fix (Intended Behaviour)" message. However, Google has now told KrebsOnSecurity that it plans to issue an update by mid-July 2018.
This major privacy flaw is said to have arisen because of the nature of Google Home and Chromecast devices that have questionable authentication for connections that are received on a local network. For this, Young suggests that all requests should be authenticated and all unauthenticated requests should be generic.