Google is in the process of fixing an unnerving security bug in its Google Home and Chromecast devices—one in which a malicious website could potentially learn your exact location. While the bug itself is cause for concern, it’s worth understanding precisely how Google can triangulate your location via mapped wireless networks, an ability that may surprise some device owners.
Security investigator Brian Krebs reported Monday that Craig Young, a researcher with security firm TripWire, discovered a security vulnerability in Google Home and Chromecast products that stems from poor authentication protocols. With a simple script, a website could collect precise location data on Chromecast and Google Home device owners.
An attack would work like this: A site—which could merely be an advertisement on a page—would request a list of nearby wireless networks from the Google device on your Wi-Fi network. Google Home and Chromecast devices don’t currently have any authentication protocols in place for this kind of request, so any site could ask for this information—one that is legitimately trying to use your location to provide a service, like an accurate weather forecast, or one that intends to use this information against you. The site would then send the list to Google’s geolocation look-up services to pinpoint your location. This process would take about a minute to complete. From there, a malicious actor could use your location information to better target phishing attacks or scams, like those fake IRS warnings. It could also lend credence, Young said, to extortion or blackmail campaigns.
Google originally called this geolocation issue an “intended behavior,” but it has since agreed to fix the flaw. A patch should arrive in mid-July.
Young’s advice: Whenever possible, keep your connected home products on a separate network from other smartphones or computers—the devices you use to browse the internet and download data. This minimizes the chances that a malicious website will gain access to that network’s details and your personal information. (He offers details on how to set that up here.)
It’s common for websites to track the IP addresses of their visitors, which offer only general insight into a user’s location—IP addresses may map to a location several miles away from your actual physical address. But Google doesn’t merely collect IP-address data to estimate a user’s location. Instead, Google retains a detailed map of known Wi-Fi networks and access points. By knowing the exact location of these networks, and your proximity to them, its location services can gauge your location with roughly 30 feet of accuracy.
Google has been using this technique to figure out your location for years. It’s far more accurate than relying on satellite-based GPS technology, which can be affected by tall buildings or cloud cover as your device’s signal bounces between Earth and space. Wi-Fi has very little interference (as long as you don’t live in an old house with chicken wire in the walls) and Wi-Fi networks of homes and businesses tend to be stationary, which means they’re reliable locationwise.
In your own home, Google can identify your location thanks to the handshake between your router’s Wi-Fi name or MAC address and an Android device. Any time a GPS-enabled Android device picks up your router’s broadcast signal, it can pinpoint its location and relay that information to Google’s location servers. Other than stopping your router from broadcasting its unique ID—which would mean manually connecting to your network each time you want to get on Wi-Fi at home—there’s no way to prevent this from happening.
For the most part, this Wi-Fi–based location mapping is useful: This is how Google can so quickly and accurately pinpoint your exact location on a map. If you’re walking through a densely populated, high rise–filled downtown, this Wi-Fi network–based mapping technique can mean the difference between your little blue dot showing up where you actually are or a block or two away. It’s also how apps like Google Maps and Waze can continue to work well even if you have your GPS switched off. However, that information in the wrong hands is a serious privacy concern. In the case of Google Home and Chromecast units, Young’s demo of the attack is so accurate that he can tell “roughly how far apart his device in the kitchen is from another device in the basement.”
Young’s demo—and the revelation that your exact home location could be shared with third parties via your Google Home or Chromecast—is unsettling, but Google is working on a fix, so the hole should be patched in a matter of weeks. It does, however, act as a timely reminder of the security risks smart home products can introduce to your home network. Amazon and Google, the leaders in the smart-speaker space, have so far been quick to react to potential threats to their products, something that’s not true of all “internet of things” product makers. As long as that pattern continues, device owners should be in good shape—but if you want to ensure connected home safety, put those devices on a separate wireless network.