Google will reportedly be pushing out a fix for its Google Home and Chromecast devices at some point near the middle of July, following reports that the devices were leaking location data. The leak, first reported by the source, apparently takes advantage of Google’s own location collection method to triangulate a device’s location based on the strength of surrounding Wi-Fi signals. In the shortest possible terms, the problem is the result of a weakness in authentication which would allow an attacker to discover the location of those types of devices to within ten meters. All that would be required is for a user to open a malicious link while on the same network as one of the two devices and the attacker would effectively be able to discover the user’s location. According to the source, the primary caveat for the attacker would be that the link needs to be open for more than a minute.
Regardless, since the link could be an advertisement, a tweet on Twitter, or a whole swath of other content, that actually wouldn’t be too hard to accomplish. A typical attack of this type would return a range often encompassing an entire city or, in more accurate cases, a neighborhood. But Google’s method for obtaining location data is far more accurate, to begin with. In fact, the more densely populated an area is – in terms of surrounding networks – the more accurate the location data is. Worse, when the leak was initially discovered and reported as a bug to the search giant, its initial response was to ignore it. According to the source, the company responded by closing the bug report as something that was working as intended.
Following subsequent reports and the sharing of a video showing how the attack could be accomplished, Google has reportedly decided to issue a fix. However, that won’t be ready for around a month from this writing. As pointed out by the sources, phishing attacks and similar activities are among the most likely to make use of this method in the meantime. For example, a bad actor might steal a user’s home location and then use that information to make threats or to contact the user for more personal details. In either case, the availability of a more exact location combined with Google Street View or other sources could make the interactions seem more authentic to victims. So those are going to be the primary threats to watch for, for now.