Google Home, Chromecast Can Tell Bad Guys Where You Live
Google Home, Chromecast can tell attacking websites which Wi-Fi networks are nearby, which reveals exactly where the devices physically are.
Your Google Home or Google Chromecast device might give away your location to malicious hackers, a security researcher has found. Google is working to fix this, but the patch might not be ready until next month.
Craig Young, a researcher at Tripwire, explained in a blog post today (June 18) that a technique called DNS rebinding lets a malicious website, or even a malicious ad, get access to devices on a user's home network.
From there, the malicious site can get a list of the Wi-Fi networks that a Google Home or Chromecast devices "sees," and use Google Maps' hotspot-triangulation function to determine where on Earth the Google device is located.
"I’ve been consistently getting locations within about 10 meters of the device," Young told independent security blogger Brian Krebs, who got an exclusive first look at Young's findings.
What to Do
You can't insulate Google Home or Chromecast from this without a firmware update from Google, Young explained. But you can minimize your risk by segmenting your home network and putting smart-home devices on a separate network from your PCs.
If your router permits you to create a guest network, do so and move all your smart-home devices, including any Chromecasts or Google Home devices, to it. Keep your PCs and printers on the primary network.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
MORE: The One Router Setting Everyone Should Change (But No One Does)
The Google Maps Connection
Google has been cataloguing the locations of Wi-Fi hotspots around the world for years. Sometimes it uses StreetView cars to pick up Wi-Fi signals as they drive down residential streets. Sometimes it uses data from Android smartphones that happen to have both Wi-Fi and GPS turned on at the same time.
All this is done to aid the accuracy of Google Maps and targeted ads based on location. But it has the side effect of being a very effective geolocation tool.
Why This Is Bad
So what, you ask? Of course Google knows where I am if I have a Chromecast or a Google Home device! The problem, though, is that Young's method of attack demonstrates that malicious hackers and criminals can find out what Google knows.
That could lead to all sorts of scams. If Boris Badenov the Russian cybercriminal knows that you live at 1313 Mockingbird Lane, then Boris can send you an email or make a phone call to you pretending to be your neighbor up the street at 1325 Mockingbird Lane — and that he'd seen you do something illegal and wants money to stay silent.
Or Boris could pretend to be the FBI and say that the Bureau had detected downloading of illegal pornography taking place at 1313 Mockingbird Lane, and that you are facing a big fine, which you can conveniently pay through Bitcoin.
Video Proof
Young posted a video on YouTube showing how a malicious website (actually a file on one of his own machines) found at least two Google devices on his home network, then extracted information about Wi-Fi networks near them to determine that Young was in an Atlanta suburb.
Google Drags Its Feet
Young told Krebs that he contacted Google about this problem in May, and that the company said that this wasn't actually a problem. Google changed its mind after Krebs reached out to it, and now plans to have fixes ready by mid-July.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.