Google Home and Chromecast users are susceptible to a location privacy leak. The bug was discovered in May, but Google declined to comment until recently, saying it would release an update to fix the problem in mid-July.
Craig Young, a researcher with security firm Tripwire, found the bug that leaks extremely accurate location data about users from the two devices. Hackers can retrieve the information by running a simple script that uses WiFi networks to determine location with Google’s geolocation lookup services. Google Chromecast and Google Home devices would just need to have a malicious link open for more than a minute to give the attacker access, Young said.
The devices use Wi-Fi-based location mapping, which can determine location within about 30 feet. Because the location information leaked is so precise, scammers can make phishing and extortion attempts much more realistic, and thus, easier to fall for.
There are a few ways to protect yourself from these attacks if you own a Google Home or Chromecast before the bug fixes go live in July.
Brian Krebs published a post on his blog suggesting a multi-router set up that may protect your devices from less complex attacks. Krebs also shares other tips on securing your internet of things.
Young advises Google Home and Chromecast users keep the connected products in their homes on a different and separate network from any device used to browse the internet and download data.
Google has been using Wi-Fi-based location mapping for years. It’s what allows its apps to quickly and accurately pinpoint your location in Google Maps, whether you’re connected to Wi-Fi or not. This kind of information leaked to third parties is an issue that Google is promising to remedy within the next few weeks.