Skip to Content
Security & privacy

Alert! Chromecast and Google Home exposes users’ personal data

Google’s popular smart gadgets like the Chromecast and the Google Home are bringing affordable ways to fast-track your humble abode into the “smart home” era.

The Chromecast, of course, is Google’s streaming stick that lets you “cast” content from your smartphone or your computer while the Google Home is a virtual assistant/smart speaker comparable to the Alexa and the Amazon Echo.

However, as our homes get increasingly connected, this also gives hackers more opportunities to poke holes and gain access to our systems and even our personal information.

Turning your house into a smart home is exciting but be careful! Listen to my Komando On Demand podcast to learn how to watch for the warning signs so technology doesn’t take over your home.

Case in point, this recently discovered flaw in these Google devices can potentially reveal your location with pinpoint precision. Read on and learn more about this attack and the various ways you can protect your home and your family from it.

Google’s location privacy flaw

A vulnerability in Google’s Chromecast and Google Home smart speaker was recently discovered by Craig Young, a researcher with cybersecurity firm Tripwire.

How bad is the flaw? According to Young’s findings, by using a malicious link, an attacker can remotely reveal a Chromecast or Google Home’s location with stunning accuracy.

Apparently, all it takes for an attacker to track down your location is by getting you to click a malicious link and then remotely ask a Chromecast or a Google Home for a list of all the nearby Wi-Fi access points in its vicinity.

This list can then be used with Google’s own precise geolocation lookup services and use Wi-Fi-based triangulation to accurately reveal your gadget’s location within a few feet.

“I’ve only tested this in three environments so far, but in each case, the location corresponds to the right street address,” Young told cybersecurity website KrebsOnSecurity. “The Wi-Fi-based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people’s phones.”

An attacker doesn’t even have to be connected to your local network for the flaw to work. All it requires is for you to open a malicious link while you’re connected to the same network as a Chromecast or a Google Home gadget then have that link open for about a minute.

Why the one-minute window? Evidently, that’s the time it takes for Google’s geolocation services to triangulate your position.

Check out the video below for Young’s demonstration video.

Security risks from this attack

The concerning part about this attack is that the script needed to run it can be hidden just about anywhere on the web, be it a website element, a malicious advertisement, or even a tweet.

All it requires is for you to have the page open long enough for the geolocation tracking to kick in.

And aside from privacy concerns about having your location accurately revealed to websites and advertisers, this flaw can be a boost for phishing and extortion scammers out there.

For example, a phishing attempt may appear to be authentic or blackmailers and extortionists can make their threats more credible by stating your exact address.

Fix from Google is on its way

Thankfully, KrebsOnSecurity confirmed that Google will fix the Chromecast and Google Home location flaw “in the coming weeks.”

According to TripWire, the flaw is a result of poor authentication systems on the Chromecast and the Google Home. Basically, these devices don’t require authentication when a request is coming over the local network. However, this attack uses DNS rebinding to make it look like its commands are coming locally.

We’re assuming that Google’s fix will include an updated authentication method for local connections.

How to protect yourself from this attack

Until Google rolls out the fix, hopefully by mid-July, there’s really not much you can do against this attack.

There’s no real evidence that this is being actively exploited but for now, just employ good security practices by not clicking on unknown links, websites and attachments.

Set up a separate network

Another effective way to protect yourself from Internet-of-Things attacks such as this one is to put your smart appliances on a separate network that’s different from your main one.

You can do this by setting up a completely different Wi-Fi router or by simply enabling your router’s “Guest Network” option, a popular feature for most routers. Note: Make sure you enable encryption and password-protect your guest network too.

This way, your more critical personal devices, like your personal computers, smartphones, and tablets, are segregated from specific Internet-Of-Things attacks.

Click here to learn more about setting up a separate Wi-Fi network.

Stop robocalls for good with Kim’s new eBook

Robocalls interrupt us constantly and scam Americans out of millions of dollars every year. Learn Kim's best tricks for stopping annoying robocalls in this handy guide.

Get the eBook