File photo: Richi Chandra, Director of Product Management, Google Chromecast, talks about the Google Home Max loudspeaker during a launch event in San Francisco, California, USA October 4, 2017. REUTERS/Stephen Lam
Your Google Home page or Google Chromecast device could give is your location for malicious hackers, a security researcher has found. Google is working to solve this problem, but the patch is not yet ready until the next month.
Craig Young, researcher at Tripwire, said in a blog post today (June 18) that a technique called DNS rebinding can allow a malicious web site, or even a malicious ad to get access to devices on a network.
From there, the malicious site can give you a list of the Wi-Fi networks that a Google Home page or Chromecast devices to “see,” and the use of Google Maps’ hotspot triangulation function to determine where on Earth the Google device is located.
“I have constantly locations within a radius of about 10 meters of the device,” Young told the independent security blogger Brian Krebs, who got an exclusive first look at Young’s findings.
More Of Tom’s Guide
The One Router Set Up, Everyone Must Change, But Nobody Does)
25 Things You didn’t Know Could Be Hacked
The Best Smart Home Devices That Work with Google Home page
Best Antivirus Software and Apps
What to Do
You can’t isolate Google Home page or Chromecast this without a firmware-update of Google, Young explained. But you can minimize your risks by segmenting your private network and turn on smart-home devices on a separate network from your Pc.
If your router, you can create a guest network and put all of your smart-home devices, including any Chromecasts or Google Home devices. Keep your Pc’s and printers on the primary network.
The Google Maps Connection
Google is cataloguing the locations of Wi-fi hotspots around the world for years. Sometimes makes use of StreetView cars to pick up Wi-Fi signals as they drive down residential streets. Sometimes the data from Android smartphones, which happen to have both Wi-Fi and GPS enabled at the same time.
All of this is done to aid the accuracy of Google Maps, and targeted ads based on location. But it is the side effect of a very effective geo-location tool.
Why Is This Bad
So what you ask? Of course Google knows where I am if I have a Chromecast or a Google-Home device! However, the problem is that the Young is the method of attack shows that malicious hackers and criminals can find out what Google knows.
That can lead to all sorts of scams. As Boris Badenov Russian cybercriminal knows that you live at 1313 Mockingbird Lane, Boris, you can send an email or call you pretending to be your neighbor in the street in 1325 Mockingbird Lane — and that he had seen you do something illegal and wants money to keep quiet.
Or Boris could pretend to be the FBI and saying that the Agency had found downloading illegal pornography place at 1313 Mockingbird Lane, and that you are faced with a large fine, which you can easily pay via Bitcoin.
Young posted a video on YouTube showing how a malicious web site (actually a file on one of his own machines) found at least two Google devices on its own network, then extracted information about Wi-Fi networks in the area to determine that the Young was in a suburb of Atlanta.
Google Drags Its Feet
Young told Krebs that he was in contact with Google about this issue in May, and the company said that this is not really a problem. Google changed mind after Krebs reached, and is now planning to make corrections ready in mid-July.