Google to shut down location revealing Chromecast and Google Home bug... in a month

Google has reportedly promised to fix a vulnerability in its Chromecast devices and Google Home speakers that could let attackers discover the location of users. According to Krebs on Security (via The Verge), Google will fix the problem with an update in mid-July.

The attack itself was found by security researcher Craig Young of security firm Tripwire. Attackers can exploit security weaknesses in Chromecasts and Google home speakers to get a list of nearby wireless networks. These can then be cross-checked using Google’s location services to get an accurate location.

In testing, Young said he was able to consistently get a position within 10 meters of the device. This compares to a location two miles away when he tried to geolocate his IP address.

Young also said the attack can be done completely remotely as long as the attacker can get the victim to open a malicious link while connected to the same network as the device. The link would then need to stay open for around a minute. You can see how quickly it can be achieved in the video below.

Young pointed out that the attack opens up the possibility of more realistic phishing or extortion attempts. While many people are used to anonymous — and often unspecific — email scams, attackers could use precise location information to make them all-the-more convincing (and dangerous).

It’s common advice but it’s worth saying again: avoid opening links you don’t understand or trust when you’re online. If you want to know more about IoT security, then you can check out our guide by clicking here.

Next up: Google Home Chromecast support – how it works, and what you need