Google Home Helps Attackers Find Your Home

Google Home. (Image credit: Google)

Google Home and Chromecast devices have a firmware design flaw that exposes users’ precise geolocation to potential attackers.

Google Devices Design Flaw

During a lab experiment Craig Young, a researcher working for the security firm Tripwire, was conducting for his Black Hat training, Young discovered that the Home app, which is what Google Home and Chromecast owners use to configure their devices, wasn’t performing its tasks only through the Google Cloud infrastructure, but also through a local HTTP server. 

The main issue here is that these commands lack any form of authentication, a problem that is common with most Internet of Things (IoT) devices, but which Google’s devices weren’t expected to have. Using this design flaw in Google’s products, Young was able to not only hijack the screen attached to the Chromecast, but also pinpoint his physical location with a 10m precision, which is almost as precise as the GPS location.

Apparently, Google’s use of the HTML5 location API, which can gather location information from proximity to other Wi-Fi hotspots, is what allowed Young to extract this information. Starting from a generic URL, Young developed an exploit that scanned the local subnet looking for Google devices. Afterwards, he was able to look at his own house on Google Maps.

“Intended Behavior”

When Young first reached out to Google in May about this design flaw in the company’s firmware, Google responded by closing his bug with the message: “Status: Won’t Fix (Intended Behavior).” Young noted in his post that browser extensions and mobile apps are typically allowed to query location information without the user being notified about it. This type of technique has been used by advertisers to identify who the users are.

If Google was taking advantage of the same flaw to better target ads at users, then that would explain why the company was at first reluctant to fix this bug.

But after being contacted by cyber security journalist Brian Krebs, Google seems to have changed its mind and said that it had planned to release a patch for this flaw for mid-July 2018.

Potential Impact and Mitigation

Young believes that attackers could more effectively blackmail or extort people through this type of exploit, by sending them fake FBI or IRS warnings, or even threats of making compromising photos public. Short of completely disconnecting these devices from the internet, Young said there are a few other options to minimize the risk against attackers.

The first one is to segment and isolate your Wi-Fi networks, so that, for instance, you have one Wi-Fi network for work or personal browsing and another for connecting IoT devices, such as smart TVs. Another option is to enable DNS Rebind Protection in your router, a feature that isn’t typically enabled by default.

Young also recommended that all devices that run on the local network be configured as if they were exposed to the internet, especially if the data they transmit over the network is not authenticated.

The Google Home smart speaker was previously found to secretly record users' conversations when Google launched the product last fall. The company fixed that flaw soon after it was discovered.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Sleepy_Hollowed
    "It's a feature!"- Google, answering to a black hat

    "Oh, we will patch it" - Google, after a journalist bringing up the same issue, due to bad press posibilities
  • hoofhearted
    >>The Google Home smart speaker was previously found to secretly record users' conversations when Google launched the product last fall. The company fixed that flaw soon after it was discovered.
    Flaw? I am sure this was intended behavior as well, at least, until it was discovered. Now Google just needs to R&D how to make this non-discoverable.
  • redgarl
    Who the hell would put this piece of garbage in their home? Whatever happens in consequence of using this, you deserve!
  • milkod2001
    @REDGARL Im afraid most people are just too lazy to think for themselves these days and will simply buy it to follow the latest trends.
  • maetrixss
    @REDGARL to employ the logic I'm seeing more and more these days to excuse horrible things-"well, if you aren't doing anything wrong, you have nothing to worry about."
  • TJ Hooker
    As far as I can tell, the would-be attacker needs to have access to the local network where the google devices are operating in order to exploit this. At which point I'd say them being able to tell where your google home device is located may not be your biggest concern. Also, if they are connected to your LAN, they are probably in or near your house to begin with, at which point being able to determine that the google devices are in your house (where they'd be assumed to be 99.9% of the time) doesn't seem like particularly valuable or sensitive information.

    Maybe I'm missing something, but this honestly doesn't sound like that big of a deal to me.