Google has acknowledged that such a bug exists and has promised to fix the issue through a software update, which it will roll out in July
Google’s Chromecast and Home products have a serious bug which makes it easy for hackers to discover the user’s location accurately. The bug allows websites to collect sensitive location data of users of these devices by simply running a script in the background.
However, users of these devices can relax as Google has acknowledged that such a bug exists and has promised to fix the issue through a software update which it will roll out in July.
The bug was discovered by Craig Young, a security firm researcher with Tripwire, who said the bug reveals incredibly accurate information about users of these devices. Initially when Young contacted Google, the tech giant refused to address the bug and closed the bug report with a “Status: Won’t Fix (Intended Behavior)” reply.
The nature of the attack is fairly simple, provided a few conditions are met. First and foremost, the attacker needs to convince the user to click on a fraudulent link which can be contained in a malicious advertisement or even a tweet. Once the user clicks on the link, he needs to stay on the page for a period of at least one minute.
Once the attacker has obtained a user’s accurate location, attackers can move ahead and make multifaceted attacks such as make phishing calls, run extortion scams by fraudulently posing as tax authorities, etc.
“The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns,” Young said.
“Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”
The whole issue can be attributed to poor authentication standards by Google Home and Chromecast devices as they barely prompt for security authentications if the connections are made via local network.
“We must assume that any data accessible on the local network without credentials is also accessible to hostile adversaries,” Young said in a blog post. “This means that all requests must be authenticated and all unauthenticated responses should be as generic as possible. Until we reach that point, consumers should separate their devices as best as is possible and be mindful of what web sites or apps are loaded while on the same network as their connected gadgets,” he added.
A simple way to stay safe against any such attacks is to follow proper internet browsing practices. Experts advise users to never click on any URLs or links unless they are from known sources.
As an additional layer of security, Young suggests connecting the devices on an additional network using a separate router.“By connecting the WAN port of the new router to an open LAN port on the existing router, attacker code running on the main network will not have a path to abuse those connected devices. Although this does not by default prevent attacks from the IoT devices to the main network, it is likely that most naïve attacks would fail to even recognize that there is another network to attack,” he said.