Google Home and Chromecast have a serious privacy issue

Google Chromecast Ultra 1

If the URL is clicked and the webpage is kept open for around a minute, the user's home Global Positioning System location is found - and subsequently exploited. This is because the information was processed over Google's own geolocation data, which taps into broadband networks and smartphones to link Wi-Fi routers to a physical spot. "The Wi-Fi based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people's phones". Your Smart Home devices, IP camera, Smart TV, Chromecast, and Google Home are connected to a second router.

Mr Young set up a website that ran malicious software created to remotely infect a victim's computer and extract the location data stored on nearby Google devices. [Side note: Anyone who'd like to see this in action need only to turn off location data and remove the SIM card from a smart phone and see how well navigation apps like Google's Waze can still figure out where you are].

In the researcher's proof of concept, a URL is opened on a computer connected to a Wi-Fi network that's also connected to a Google Home or Chromecast device.

"An advertiser could embed code in their mobile apps or websites to recognize when different sessions originate from the same house or workplace and use this to build more specific profiles for targeted ads", Young said in an email. Common scams like fake Federal Bureau of Investigation or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google's location data to lend credibility to the fake warnings, Young notes. This compares to a location two miles away when he tried to geolocate his IP address.

"The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns", said Young in a Krebs on Security article. "Common scams like fake Federal Bureau of Investigation or IRS warnings or threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success".

The good news is that Google is working on a fix for this - although they nearly weren't with Young saying that when he first reported the issue to Google in May, the bug report was marked as 'Won't Fix (Intended Behavior)'. But after being contacted by KrebsOnSecurity, Google changed its tune, saying it planned to ship an update to address the privacy leak in both devices.

Lewandowski on girl with Down syndrome being separated from family: 'Whuh, whuh'
How absolutely dare you, sir", an outraged Petkanas replied, after Lewandowski's "womp womp" response, which may be seen in the video below.

Macron, Merkel urge 'European response' to migrant crisis
Seehofer - then the governor of Bavaria , where most migrants first entered Germany - became a leading critic of her welcoming approach.

Meghan and Prince Harry likely to have children soon: Thomas Markle
He also said the sixth in line to the throne appeared "open" to the idea of Brexit when they had a "loose" talk about it. But the relationship is fractured and it will be interesting to see where they go from here, ' the source told ET.

Google is expected to release a fix for the bug in mid-July.

"The confluence of these properties means that web browsers and, therefore, websites can sometimes interact with network devices", Young explained in a blog post on Monday.

Young also recommended that all devices that run on the local network be configured as if they were exposed to the internet, especially if the data they transmit over the network is not authenticated.

The attack can be done remotely as long as the victim is connected to the same network as the device.

One way to isolate your Internet of Things devices is to use a multi-router solution, to isolate your home network, like this method used by security researcher Steve Gibson.

Related News:



Most liked

Ted Cruz to Introduce Bill to End Family Separation
The bill proposes that the number of immigration judges be doubled to 750, and requires asylum cases to be adjudicated in a two-week period.

PlayStation Now Will Let You Download PS4 Games This Year
For a long time now Sony has been the only console manufacturer reluctant to allow PS4 users to play with users on other hardware. PlayStation Hits will launch on 18 July and features more than 20 PS4 titles at a permanent low price of $19.99/£15.99.

Brexit: No 10 will not accept 'meaningful vote' amendment
Under the new amendment tabled by Greive, ministers must update parliament by 21 January if no deal is reached with Brussels. Nevertheless, they insist parliament can not be allowed to overturn Brexit or tie the government's hand is negotiations.

Willemse walk-out report expected at 3pm
Khobane said he would engage with Botha and Mallett on Wednesday to find out when they would be available to return to work. Khobane says the investigation concluded that there was no naked racism from both Mallet and Botha towards Willemse.

Michael Jackson Musical Coming to Broadway
Wheeldon, a resident choreographer of the New York City Ballet, was the director-choreographer of An American in Paris on Broadway.

Microsoft takes a stand against ICE separating parents from children
Family unification has been a fundamental tenet of American policy and law since the end of World War II. According to Bloomberg data , Microsoft now has active ICE contracts worth $19.14 million.

Israel strikes Hamas targets in bid to deter burning kites
An Israeli warplane struck a vehicle in Gaza City early Sunday, according to Israeli officials and eyewitnesses. During the bombings, Palestinian militants fired three rockets into southern Israel.

Xhaka signs ´long-term´ Arsenal extension
"He's an important member of the squad and is still young so will be able to develop even more", Emery told the club website . Emery is preparing to take Arsenal forward following the departure of long-serving manager Arsene Wenger.

Beyoncé & JAY-Z’s Album Is Now On Spotify & Apple Music
Everything Is Love was revealed following The Carters' final On The Run II UK tour performance at London Stadium, London. The album on Monday surfaced on various streaming services, under the artist name "The Carters".

Cristiano Ronaldo is 'added value' for Portugal but tough Morocco test waits
The Portugal coach, Fernando Santos, has urged his team to reach "Euro 2016 levels" as they prepare to take on Morocco in their second game of the World Cup .

Melania Trump's Immigration Lawyer Compares Family Separation To Nazism
The Department of Health and Human Services said there are now 11,700 children under its care in 100 shelters across 17 states. Charlie Baker has also refused to send troops to the border , citing the "cruel and inhumane" separation of families.

High court sidesteps gerrymandering rulings
Now, at least, partisan gerrymandering challenges can live on for another day. "But of one thing we may unfortunately be sure". Kennedy, who had been viewed as the deciding vote on partisan redistricting, did not write separately Monday.

Trump's latest swipe at Canada? Smuggling US shoes
Freeland told the committee the "absurd and insulting" USA metal tariffs will be met with a firm response on July 1. They make them sound old or look old so they can get them past border guards".

AMD pokes fun at Intel's Core i7-8086K with new giveaway
Celebrating the past is neat, but here at AMD we are focused on the future and the next 40 years of high-performance computing. Why it matters: AMD is essentially trolling Intel here as it is only offering 40 contest winners the chance to participate.

Rapper XXXTentacion Dead at 20 After Being Shot in Miami
The rapper, who grew up the neighborhoods near where he was shot, rose to fame after uploading music to SoundCloud. However, it was reinstated after the streaming service backtracked on the policy , following an industry backlash.