Google Home, Chromecast security hole can allow cybercriminals to ‘blackmail’ users

Information

Google Home, Chromecast security hole can allow cybercriminals to ‘blackmail’ users

Are you using the Google Home or a Chromecast at your house? Then take note. As per a researcher named Craig Young with security firm Tripwire, GoogleHome and Chromecast devices have a serious vulnerability that can leak your precise location within 10 meters to an attacker. The attacker can then use this location information to make online threats or stalking traps more credible and accurate. For example, providing your precise location inside your own house to a stalker who is remotely tracking you seemingly makes you even more vulnerable.

While the vulnerability is only limited to unauthorised access of exact data location of the user, the effect is not just limited to that. The researcher says “The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns. Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”

Google was notified of this issue in earlier occasions as well, but the technology giant did not pay any heed to the findings of Young. But when another security researcher showcased the same vulnerability to Google, the company has finally budge. Google has reportedly said that it will fix this issue with an update next month (July).

 

What exactly is the vulnerability?

Most users connect their Google Home, Chromecast, smartphones or their PCs to the same home Wi-Fi network. Now, there is a bug in Google Home and Chromecast devices which doesn’t seek authentication for connection requests from other devices within the same network. To exploit this vulnerability, the attacker needs to ask the “Google device for a list of nearby wireless networks.” This information can be later mapped to Google’s geolocation lookup services to get the exact location of the user.

 

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same WiFi or wired network as a Google Chromecast or Home device. The only real limitation is that the link needs to remain open for about a minute before the attacker has a location,” Young toldKrebs on Security blog.