Google To Patch Smart Speaker, Chromecast Location Leak Bug

Google has said it plans to release a patch for an issue with Google Home and Chromecast, two of its most popular consumer devices, that could allow websites to determine users’ exact location.

The loophole could be used by unscrupulous attackers to make phishing or extortion attacks appear more realistic by including the recipient’s location, such as their street address, according to Tripwire researcher Craig Young, who discovered it.

Young said the issue stems in part from the fact that devices such as the Google Home smart speaker, and Chromecast, which streams media content to a monitor or television, don’t require authentication from connections over a local network.

That means a website could run a simple script to access information from those devices that can be used along with Google’s geolocation lookup service to determine the devices’ location.

Location abuse

“For many years now, device makers have focused to a large degree on a low-friction user experience that ultimately lends itself to abuse,” Young wrote in an advisory.

Unlike an IP address, which only offers a general location, usually within several miles, Google’s geolocation service – which relies on a catalogue of large numbers of wireless networks – can locate devices within a few feet.

Users’ web browsers generally block websites from accessing the information they would need to perform a lookup, unless it’s specifically authorised, but Young said if a Google Home or Chromecast device is located anywhere on the user’s wired or wireless network, an attack script could access those devices and obtain the needed data.

The script would require the user to click on a link that could be embedded in an advertisement or  a Twitter post, Young told the Krebs On Security website.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young said, adding that the link would need to remain open for about a minute for the data to be gathered.

Young told Google about the issue in May, but the company didn’t initially plan to fix the issue, saying it was “intended behaviour”.

It’s now planning a patch in mid-July.

Do you know all about security? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Warns Of Italian Spyware On Apple, Android Phones

Italian company's hacking tools have been used to spy on Apple, Android smartphones in Italy…

12 hours ago

Intel Signals Delay To Ohio Factory Over US Chips Act Dispute

Chip maker warns new factory in Columbus, Ohio could be delayed or scaled back, over…

13 hours ago

Silicon UK In Focus Podcast: Sustainable Business

How do sustainable businesses use technology to innovate? And as businesses want to connect sustainability…

14 hours ago

Australia Fines Samsung Over Water-Resistance Claims

Samsung rapped over the knuckles by Australian regulator because of 'misleading' Galaxy smartphone water-resistance claims…

1 day ago

Amazon Reveals Alexa Option To Mimic Any Person’s Voice

Bereavement aid for those in mourning? Amazon's Alexa voice assistant could be programmed to sound…

1 day ago