Google will fix an exploit that let Home and Chromecast leak your location

Your Home could leak your home location

Google will fix location data leak
The Ambient is reader-powered. If you click through using links on the site, we may earn an affiliate commission. Learn more

Google will issue a fix for its Google Home and Chromecast to address an exploit that could allow malicious actors to exploit your smart home device to get your accurate information.

The exploit was discovered by Tripwire within the Google Home app. The app is used to configure both Home and Chromecast devices. For the most part, the app communicates with Google's cloud to complete actions. However, there are some actions that the Home app does on a local network with an unsecured HTTP server.

Read this: The best Google Assistant devices

So when you change your Chromecast or Home's device name, or even connect them to Wi-Fi, the Home app is using an unencrypted method that can easily be hijacked. In fact, Tripwire's Craig Young did exactly that. He was able to hijack the connection screen in the Home app and used it to extract location data from his devices that identified his home within 10 meters.

How is this possible? It takes advantage of HTML 5's location API, which analyzes signal strengths in surrounding Wi-Fi spots to triangulate a device's position. In fact, it only took Young a minute to pull the data and locate his own home.

Young warns that this exploit could be used in phishing scams for eventual blackmail or extortion threats. Common phone scams, like pretending to be the IRS or FBI, could use this information to add a sense of credibility to their threats. While the method Young used was DNS rebinding, which essentially hijacks a browser, he warns it could also be exploited by browser extensions and mobile apps in the background.

He also warns that this exploit isn't just limited to Google's devices. Throughout his years auditing smart devices, he's seen this issue crop up several times before in other devices, like smart TVs. Google's solution will likely add a layer of security to the HTTP server while also asking for some sort of authentication before being able to change the device name or connect to Wi-Fi.

TAGGED    google

Related stories

google Nest Audio pictured: Next-gen Google Home smart speaker goes live this month
televisions Android TV: Features, tips and the best apps to download
google Lenovo Smart Clock Essential takes Google Assistant back to basics
google How to use Google Assistant Family Bell to make home-schooling more 'fun'
google Cast it: The Chromecast tips and tricks you need to know
google Long awaited Android TV dongle looks likely for launch