Google’s range of smart devices includes the Google Home smart speaker and the Google Chromecast streaming device. Now as per reports, both the devices have a severe flaw that can allow third party website to run a script and track the current location of the user easily. Reports also indicate that Google is planning to roll out a fix for this bug soon.
As per sources, the location data tracking is made possible by making the user open a link using the same WiFi as the Google device. However, to successfully locate the device location, the link has to be kept open for at least a minute.
Contents in the attack can come in various forms like an advertisement, tweet or any other medium as per a report by KrebsOnSecurity. You may be aware that some websites save location information in the form of IP addresses. However, these are not sufficient to track the precise location of the user although it may provide a rough estimate of the location. But Google smart home devices link WiFi networks to their corresponding physical locations giving a better and more accurate tracking of the user’s location.
Craig Young, a researcher with security company Tripwire said “The difference between this and a basic IP geolocation is the level of precision. For example, if I geolocate my IP address right now, I get a location that is roughly 2 miles from my current location at work. For my home Internet connection, the IP geolocation is only accurate to about 3 miles. With my attack demo however, I’ve been consistently getting locations within about 10 meters of the device.”
The researcher also said that this bug can lead to major phishing and extortion scams by providing precise location information of the user to the attacker. Young also said that Google initially ignored this threat and refused to roll out a fix. But now, the company has informed KrebsSecurity that it has taken note of this bug and will roll out a fix for the same around mid-July 2018.