Google’s popular Chromecast and Home products suffer from a serious privacy flaw that would let hackers discover your location with incredible accuracy, well beyond the information they could learn from an internet service provider.
The good news is that Google will fix this issue via a software update that should be released in July, although Google decided back in May not to address it. Until then, the chances of hackers actually finding out your location are incredibly slim, if you’re internet-savvy enough not to fall for phishing schemes.
First discovered by Tripwire security firm researcher Craig Young, Googlers ignored the vulnerability until famous security blog Krebs on Security reached out to Google.
Young disclosed the attack in May, but the company closed the bug report with a “Status: Won’t Fix (Intended Behavior)” message.
Sure, for the attack to work, an attacker would have to dupe his or her victim to click on a fraudulent link, and then keep the victim on the link for about a minute. So if you’re careful about what kind of content you access while browsing the web, you’d be safe. Also, there are often far worse attacks that can be orchestrated if you get get someone to click the wrong link.
But some people fall for phishing schemes. And in case hackers obtain a victim’s accurate location, they may devise more complex attacks, and even impersonate authorities, such as the police or FBI, or IRS, and offer their access to one’s location as proof they’re a law enforcement agency. The victim would then be more likely to give in to the hacker’s demands.
According to Young, the attack relies on Google’s ability to map the world using Wi-Fi networks. A known Wi-Fi network would correspond to a specific address, and Google uses Wi-Fi tracking to provide accurate navigation information.
“The difference between this and a basic IP geolocation is the level of precision,” Young told Krebs on Security. “For example, if I geolocate my IP address right now, I get a location that is roughly 2 miles from my current location at work. For my home Internet connection, the IP geolocation is only accurate to about 3 miles. With my attack demo however, I’ve been consistently getting locations within about 10 meters of the device.”
For added peace of mind, you could add an extra layer of security to your IoT home, and just create a new Wi-Fi network for all your smart devices — check out Krebs full post on the matter at this link.