Google will fix an exploit that let Home and Chromecast leak your location

Your Home could leak your home location

Google will fix location data leak
The Ambient is reader-powered. If you click through using links on the site, we may earn an affiliate commission. Learn more

Google will issue a fix for its Google Home and Chromecast to address an exploit that could allow malicious actors to exploit your smart home device to get your accurate information.

The exploit was discovered by Tripwire within the Google Home app. The app is used to configure both Home and Chromecast devices. For the most part, the app communicates with Google's cloud to complete actions. However, there are some actions that the Home app does on a local network with an unsecured HTTP server.

Read this: The best Google Assistant devices

So when you change your Chromecast or Home's device name, or even connect them to Wi-Fi, the Home app is using an unencrypted method that can easily be hijacked. In fact, Tripwire's Craig Young did exactly that. He was able to hijack the connection screen in the Home app and used it to extract location data from his devices that identified his home within 10 meters.

How is this possible? It takes advantage of HTML 5's location API, which analyzes signal strengths in surrounding Wi-Fi spots to triangulate a device's position. In fact, it only took Young a minute to pull the data and locate his own home.

Young warns that this exploit could be used in phishing scams for eventual blackmail or extortion threats. Common phone scams, like pretending to be the IRS or FBI, could use this information to add a sense of credibility to their threats. While the method Young used was DNS rebinding, which essentially hijacks a browser, he warns it could also be exploited by browser extensions and mobile apps in the background.

He also warns that this exploit isn't just limited to Google's devices. Throughout his years auditing smart devices, he's seen this issue crop up several times before in other devices, like smart TVs. Google's solution will likely add a layer of security to the HTTP server while also asking for some sort of authentication before being able to change the device name or connect to Wi-Fi.

New Google hardware...

Nest Audio smart speaker

Chromecast with Google TV

TAGGED    google home

Related stories

google home How to change the sensitivity of Hey Google: Adjusting Google Assistant's microphone sensitivity
google home Google Home multi-room music setup explained: Nest, Chromecast and more
amazon alexa Amazon Alexa v Google Assistant: Pitting the voices against each other
smart speakers Deezer free tier now works with Google Home smart speakers
google home How to play music on Google Home smart speakers: Spotify, Deezer, YouTube and more
google home How to update your Google Home, Nest Mini, Nest Audio, Home Max or Google Nest Hub