Is Google Home or Chromecast Leaking Your Location?

Product Management Google Chromecast speaks about the Google Home Max speaker during a launch event in San Francisco California

Google Home and Chromecast GPS location leak [Fix Incoming]

Devices like Chromecast and Google Home usually don't require authentication from third parties to receive data on local networks, bad actors could exploit the generous permissions to collect that sensitive data. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically. This is because the information was processed over Google's own geolocation data, which taps into broadband networks and smartphones to link Wi-Fi routers to a physical spot. It is common for networks to work with Internet Protocol (IP) addresses within the network, and that includes location information which is in most cases imprecise (region or area only).

"An advertiser could embed code in their mobile apps or websites to recognize when different sessions originate from the same house or workplace and use this to build more specific profiles for targeted ads", Young said in an email.

The bug in these devices essentially allows any website to see nearby wireless connections and cross-reference with Google's database to determine the precise location of the user.

A bug in Google's Home and Chromecast gadgets could show cyber criminals where you live. Until then, the chances of hackers actually finding out your location are incredibly slim, if you're internet-savvy enough not to fall for phishing schemes.

The location exploit is risky, as Young explains "The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns", he said.

They could use your location "to lend credibility to the warnings and increase their odds of success", Young said.

More comedy producers are following Seth MacFarlane’s lead by bashing Fox
Paul Feig , who directed 20th Century Fox's " Spy " and " The Heat ", also expressed his outrage over Fox News' coverage. There are some indications, however, that the ongoing criticism of Fox News could end up hurting the company's business.

When the researcher initially filed a bug report to Google describing the issue, the company dismissed the report, closing it with the message "Won't Fix [Intended Behavior]".

According to the source link below, Google is apparently planning on rolling out "an update to address the privacy leak in both devices". Said update is suggested to be coming in mid-July of 2018. "This means that all requests must be authenticated and all unauthenticated responses should be as generic as possible".

Earlier this year, KrebsOnSecurity posted some basic rules for securing your various "Internet of Things" (IoT) devices.

At this stage the vulnerability doesn't appear to have been used in the wild, but Young does recommend that any IoT devices on your network be on a separate network to your computer.

"A much easier solution is to add another router on the network specifically for connected devices", Young wrote.

As a method of mitigating exposure, Young said he has at least three distinct networks in his home at any given time so that if he is surfing the web on his main network, "a rogue website or app would not be able to find or connect to my devices".

Latest News