Google is planning to release a patch to fix an authentication vulnerability in its Google Home and Chromecast devices that made it easy for attackers to pinpoint your exact location. Tripwire researcher Craig Young discovered the weakness while creating a lab exercise demonstrating how websites can identify and take control of screens or speakers on a local network.
Young said an attacker could use DNS rebinding to carry out an attack. After exploiting a loophole to obtain a list of nearby wireless networks, the attacker could then use Google's location lookup services to triangulate a user's location to an accuracy of just a few feet.
"It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things like setting the device name and WiFi connection are sent directly to the device without any form of authentication," Young wrote in a blog post. "Although Google’s app, which uses this functionality, implies that you must be logged into a Google account linked with the target device, there is, in fact, no authentication mechanism built into the protocol level.
"On my home network, with the aid of my DNS rebinding server, I was not only able to hijack the screen attached to my Chromecast but I was actually able to use data extracted from the devices to determine their physical location with astonishing accuracy."
Young notes this is made possible by analyzing signal strengths for surrounding WiFi networks and then triangulating a position based on WiFi access point maps collected by the millions of phones that have opted into Google's location services.
To carry out the attack, a hacker can send you a link that contains malicious JavaScript while you are connected to the same network a Google Home or Chromecast device.
"Starting from a generic URL, my attack first identifies the local subnet and then scans it looking for the Google devices and registers a subdomain ID to initiate DNS rebinding on the victim. About a minute after the page had loaded, I was looking at my house on Google Maps," he noted. Young said the attack worked for him in Windows, macOS and Linux using Chrome or Firefox.
Beyond determining a user's precise location, the data collected could also be leveraged in targeted blackmail, phishing or extortion campaigns with specific messages to make their threats more convincing.
Young initially reached out to Google in May about his discovery. However, the company responded by closing the bug report along with a "Status: Won't Fix (Intended Behavior)" message. After KrebsOnSecurity reached out to the tech giant, Google said it will roll out an update to fix the vulnerability in both devices by mid-July.
“We must assume that any data accessible on the local network without credentials is also accessible to hostile adversaries,” Young said. “This means that all requests must be authenticated and all unauthenticated responses should be as generic as possible. Until we reach that point, consumers should separate their devices as best as is possible and be mindful of what web sites or apps are loaded while on the same network as their connected gadgets.”
Publisher