Google Homes and Chromecasts around the world will be quietly updated in the coming weeks with a patch for a rather serious issue. According to security researcher Craig Young from Tripwire, these devices have a vulnerability that could allow an attacker to find your geographic location if you have a Home or Chromecast on your network. That's a big problem, and Google almost didn't believe Young's bug report.
The issue is that Home and Chromecasts don't require authentication for commands that come over your local network. The attack uses DNS rebinding to talk to your Google hardware, making it look like a local request. This way, the attacker gets a list of nearby WiFi networks. Using Google's location services, the nearby networks resolve into a physical location. This is much more accurate than IP address location, which can be off by several miles.
With one of these devices on your network, Young says it only takes about a minute for his hack to return a location. The URL could hide in an ad or some other web element that stays open for more than long enough. When he reported the defect to Google in May, a developer initially closed the report without a fix. When security blogger Brian Krebs reached out to Google about this, someone at Google realized how dangerous this vulnerability could be and started work on a patch.
There's no evidence this attack is being used in the wild, but Young suggests IoT devices should be on a separate network from your computer. Google's update will fix this issue, but who knows what other nasty surprises could lurk in your nearest smart home device?
- Krebs on Security