Home » Tech

Update your Google Home and Chromecast ASAP, Google to roll out fix

19 June, 2018, 15:39 | Author: Rafael Roberts

If the URL is clicked and the webpage is kept open for around a minute, the user's home Global Positioning System location is found - and subsequently exploited.

Google is planning to release a patch for a worrying IoT security vulnerability that can enable precise location tracking of Home speaker and Chromecast users. IP address lookups can also offer your whereabouts, but can usually only pinpoint your location within several miles.

Young said a demo he created (a video of which is below) is accurate enough that he can tell roughly how far apart his device in the kitchen is from another device in the basement.

This is typically not the case with Google's geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location.

Young says he was only able to test the flaw in three different locations, but in each case, the location obtained by the website corresponded to the right street address. These can then be cross-checked using Google's location services to get an accurate location.


The trick, Young said, is made possible my analyzing signal strengths for surrounding Wi-Fi networks and then triangulating a position based on mapped Wi-Fi access points. For example, this sort of specific location data could easily be used in "blackmail or extortion campaigns", potentially making them more effective by giving more credibility to the threat. When the researcher initially filed a bug report to Google describing the issue, the company dismissed the report, closing it with the message "Won't Fix [Intended Behavior]". According to Krebs on Security (via The Verge), Google will fix the problem with an update in mid-July.

The issue is that Home and Chromecasts don't require authentication for commands that come over your local network.

Earlier this year, KrebsOnSecurity posted some basic rules for securing your various "Internet of Things" (IoT) devices. "If you have a device and it allows you to do something without a password, it's very likely that an attacker can do the same using a malicious mobile app or via web pages with DNS binder rebinding, or via some other technique we haven't thought of yet".

A much easier solution is to add another router on the network specifically for connected devices.

The only way to completely mitigate the risk of being tracked by these kinds of devices is to disconnect them, according to Young, although using professional network segmentation or a separate router for connected smart-home items can help thwart attacks.

Recommended:



Popular

Unsafe plant that can cause blindness, severe burns spotted in Virginia
Today I helped ID VA's first giant hogweed population! If it gets into an eye, it can even cause blindness. If you think you've been burned by a reaction after coming into contact, see a physician immediately.

Donald Trump readies $200 billion in China tariffs, citing 'unacceptable' policies
The planned new wave of tariffs would have to go through the same process of public consultation and comment before taking effect. That would encompass roughly 90 percent of the $505 billion worth of goods that China exported to the United States in 2017.

Harry Kane rescues England with late victor against Tunisia
But if you scratch beneath the surface with England , you will not find much depth in the goal scoring department outside of Kane. With Alli, Sterling and Lingard playing in advanced roles behind Kane, the responsibility lies with them to step up to the plate.

South Korea, US suspend Ulchi Freedom Guardian exercise
In return, Trump said he would stop joint military drills with South Korea , long seen as a provocation by Pyongyang and Beijing . Trade Representative to prepare new tariffs on $200 billion in Chinese products, a move swiftly criticized by Beijing .

Apple fined $9m for misleading customers
The Australian Competition and Consumer Commission (ACCC) claimed that Apple misled its customers about warranty rights. Apple has offered to compensate about 5000 customers whose devices were disabled by "error 53".

Clinton: Separating families at border a 'moral crisis'
Twenty-nine years ago, my mother-in-law, Barbara Bush, visited Grandma's House, a home for children with HIV/AIDS in Washington . Meanwhile, the cycle of congressional inaction has begun.

Health Secretary Jeremy Hunt backs use of medicinal cannabis oil
But I think what is to drive us in all of these cases is actually what clinicians are saying about these issues. She is demanding a meeting with the Mr Javid and Mr Hunt to ensure that "no more medicine is confiscated".

Royals to have first-ever same-sex wedding later this summer
Hot on the trail of biracial divorcée Meghan Markle's marriage to Prince Harry , comes the British royal family's first-ever gay marriage.

'Gaming Disorder' enters WHO's latest classification-of-diseases draft
He argued that anything from TV to football could be considered behaviorally addictive if criteria is not rigorous enough. It has been included for the first time alongside another addictive disorder: Hoarding.

Why isn't Wayne Rooney at the World Cup?
Tunisia equalized in the 35th when Ferjani Sassi converted a penalty, shooting beyond the diving Jordan Pickford . England had penalty claims of their own turned down before struggling to maintain their intensity after halftime.