Smart speakers, that is devices that listen to its owners and obey their every command, are becoming more and more popular. But as with most “smart” things, the device is only as clever as the software it uses – and sometimes it is really dumb if not outright dangerous. This has now been proven by Google Home and Chromecast, both of which are leaking their (and your) location data.
Security researcher Chris Young found a vulnerability in Google Home, a home assistant similar to Alexa, and Chromecast, a stick that allows you to stream TV shows, videos, and games from your devices to your TV. Said privacy vulnerability leaks your location – pinpointed to within 10 meters – to anyone who knows how to look for it. This is possible because some of the tasks performed by Google Home and Chromecast are carried out unencrypted, without the usage of https.
How does the vulnerability work?
To get to the information a cyber crook would have to set up a webpage with some malicious code running in the background. Once a potential victim would visit it, the code would start to search for the two Google devices. If found, a request would be send that would ask for a couple of specific information from Google Home and Chromecast.
Now – if it were only the IP address it would not be an issue. Webpages constantly save those and every website owner can use a tool to figure out where the visitors of his or her page are from. To some degree anyway, since this method is not very precise at all most of the time. Google though uses a far more accurate method to know where all their users are located: The Google Location Service.
With Location Service Google maps network names around the world together with their real life location. Thanks to that data it is then possible to find out pretty much exactly where each user is situated. In a showcase Young set up a webpage that would sniff out the visitors’ whereabouts if they would stay on the site for more than a minute. Take a look at the video below, it is really creepy!
What are the dangers?
Imagine someone with not so good intentions had access to your actual address. Those Cybercriminals could use it to adapt phishing mails to include your home address. Who would not be prone to believe it to be real if it were from some lawyer or institution you know has your data anyway?
What to do in order to stay safe
According to Young the best way to deal with issues like that is to place smart devices – including the Google ones – on their own network. In his home he uses at least three of them: “This means that if I am surfing the web on my main network, a rogue website or app would not be able to find or connect to my devices. When using Chromecast, I need to then either switch networks temporarily or else use the sometimes glitchy ‘Guest Mode.’”