IoT devices like smart home accessories have long been a favorite target for security researchers and they now draw the alarm again: Google Home and Chromecast leaked accurate information about their owners’ location.
This vulnerability was discovered by Craig Young, a researcher from famed security firm Tripwire, who managed to find his own home on Google Maps after executing the attack you can watch in the video above.
“Using the DNS rebinding software from my IoT training, I was able to create a basic end-to-end attack that worked for me in Linux, Windows, and macOS using Chrome or Firefox. Starting from a generic URL, my attack first identifies the local subnet and then scans it looking for the Google devices and registers a subdomain ID to initiate DNS rebinding on the victim. About a minute after the page had loaded, I was looking at my house on Google Maps,” he summarized.
The vulnerability in question drew alarm
Even worse, he points out that “the attack content could be contained within malicious advertisements or even a tweet”, as the attacker only needs to maintain a connection for 1 minute in order to get a location.
Craig Young contacted Google about this in May but the bug his submitted was quickly closed with a “Status: Won’t Fix (Intended Behavior)” message. After more media outlets picked up the story, Google said they’ll ship an update in mid-July 2018.
What should you do until then if you have Google Home or Chromecast?
Tripwire says that “consumers should separate their devices as best as is possible and be mindful of what websites or apps are loaded while on the same network as their connected gadgets.”