Google Home and Chromecast devices have a firmware design flaw that exposes users’ precise geolocation to potential attackers.
Google Devices Design Flaw
During a lab experiment Craig Young, a researcher working for the security firm Tripwire, was conducting for his Black Hat training, Young discovered that the Home app, which is what Google Home and Chromecast owners use to configure their devices, wasn’t performing its tasks only through the Google Cloud infrastructure, but also through a local HTTP server.
The main issue here is that these commands lack any form of authentication, a problem that is common with most Internet of Things (IoT) devices, but which Google’s devices weren’t expected to have. Using this design flaw in Google’s products, Young was able to not only hijack the screen attached to the Chromecast, but also pinpoint his physical location with a 10m precision, which is almost as precise as the GPS location.
Apparently, Google’s use of the HTML5 location API, which can gather location information from proximity to other Wi-Fi hotspots, is what allowed Young to extract this information. Starting from a generic URL, Young developed an exploit that scanned the local subnet looking for Google devices. Afterwards, he was able to look at his own house on Google Maps.
“Intended Behavior”
When Young first reached out to Google in May about this design flaw in the company’s firmware, Google responded by closing his bug with the message: “Status: Won’t Fix (Intended Behavior).” Young noted in his post that browser extensions and mobile apps are typically allowed to query location information without the user being notified about it. This type of technique has been used by advertisers to identify who the users are.
If Google was taking advantage of the same flaw to better target ads at users, then that would explain why the company was at first reluctant to fix this bug.
But after being contacted by cyber security journalist Brian Krebs, Google seems to have changed its mind and said that it had planned to release a patch for this flaw for mid-July 2018.
Potential Impact and Mitigation
Young believes that attackers could more effectively blackmail or extort people through this type of exploit, by sending them fake FBI or IRS warnings, or even threats of making compromising photos public. Short of completely disconnecting these devices from the internet, Young said there are a few other options to minimize the risk against attackers.
The first one is to segment and isolate your Wi-Fi networks, so that, for instance, you have one Wi-Fi network for work or personal browsing and another for connecting IoT devices, such as smart TVs. Another option is to enable DNS Rebind Protection in your router, a feature that isn’t typically enabled by default.
Young also recommended that all devices that run on the local network be configured as if they were exposed to the internet, especially if the data they transmit over the network is not authenticated.
The Google Home smart speaker was previously found to secretly record users’ conversations when Google launched the product last fall. The company fixed that flaw soon after it was discovered.