Google will fix an exploit that let Home and Chromecast leak your location

Your Home could leak your home location

Google will fix location data leak
The Ambient is reader-powered. If you click through using links on the site, we may earn an affiliate commission. Learn more

Google will issue a fix for its Google Home and Chromecast to address an exploit that could allow malicious actors to exploit your smart home device to get your accurate information.

The exploit was discovered by Tripwire within the Google Home app. The app is used to configure both Home and Chromecast devices. For the most part, the app communicates with Google's cloud to complete actions. However, there are some actions that the Home app does on a local network with an unsecured HTTP server.

Read this: The best Google Assistant devices

So when you change your Chromecast or Home's device name, or even connect them to Wi-Fi, the Home app is using an unencrypted method that can easily be hijacked. In fact, Tripwire's Craig Young did exactly that. He was able to hijack the connection screen in the Home app and used it to extract location data from his devices that identified his home within 10 meters.

How is this possible? It takes advantage of HTML 5's location API, which analyzes signal strengths in surrounding Wi-Fi spots to triangulate a device's position. In fact, it only took Young a minute to pull the data and locate his own home.

Young warns that this exploit could be used in phishing scams for eventual blackmail or extortion threats. Common phone scams, like pretending to be the IRS or FBI, could use this information to add a sense of credibility to their threats. While the method Young used was DNS rebinding, which essentially hijacks a browser, he warns it could also be exploited by browser extensions and mobile apps in the background.

He also warns that this exploit isn't just limited to Google's devices. Throughout his years auditing smart devices, he's seen this issue crop up several times before in other devices, like smart TVs. Google's solution will likely add a layer of security to the HTTP server while also asking for some sort of authentication before being able to change the device name or connect to Wi-Fi.

TAGGED    google

Related stories

google Google Home tips and tricks: How to master your Google Assistant
televisions Google Assistant TV guide: Which models to pick from and what you can control
google New Nest Speaker is the Google Home replacement we've been waiting for
google Android 11 Google Home Power Menu going live later this year
google How to use Google Home broadcast as an intercom around the house
google How to add and control devices with Google Assistant and Google Home