Google will fix an exploit that let Home and Chromecast leak your location

Your Home could leak your home location

Google will fix location data leak
The Ambient is reader-powered. If you click through using links on the site, we may earn an affiliate commission. Learn more

Google will issue a fix for its Google Home and Chromecast to address an exploit that could allow malicious actors to exploit your smart home device to get your accurate information.

The exploit was discovered by Tripwire within the Google Home app. The app is used to configure both Home and Chromecast devices. For the most part, the app communicates with Google's cloud to complete actions. However, there are some actions that the Home app does on a local network with an unsecured HTTP server.

Read this: The best Google Assistant devices

So when you change your Chromecast or Home's device name, or even connect them to Wi-Fi, the Home app is using an unencrypted method that can easily be hijacked. In fact, Tripwire's Craig Young did exactly that. He was able to hijack the connection screen in the Home app and used it to extract location data from his devices that identified his home within 10 meters.

How is this possible? It takes advantage of HTML 5's location API, which analyzes signal strengths in surrounding Wi-Fi spots to triangulate a device's position. In fact, it only took Young a minute to pull the data and locate his own home.

Young warns that this exploit could be used in phishing scams for eventual blackmail or extortion threats. Common phone scams, like pretending to be the IRS or FBI, could use this information to add a sense of credibility to their threats. While the method Young used was DNS rebinding, which essentially hijacks a browser, he warns it could also be exploited by browser extensions and mobile apps in the background.

He also warns that this exploit isn't just limited to Google's devices. Throughout his years auditing smart devices, he's seen this issue crop up several times before in other devices, like smart TVs. Google's solution will likely add a layer of security to the HTTP server while also asking for some sort of authentication before being able to change the device name or connect to Wi-Fi.

New Google hardware...

Nest Audio smart speaker

Chromecast with Google TV

TAGGED    google home

Related stories

amazon alexa Bye bye, Google: How to use Alexa as your default assistant on Android
google home The best Google Home compatible devices for your smart home
google home Google Home calendars: How to add a Google Calendar to your smart speaker
google home How to add and control devices with Google Assistant and Google Home
google home Google Assistant updates will make alarms and timers better
google home A quick guide to Google Home's Digital Wellbeing Filters and Downtime