Google plans to release a patch sometime in the next few weeks to fix a bug in its Home smart speaker and Chromecast TV streaming stick that lets a website collect precise user location data, according to a report from security reporter Brian Krebs. The bug, disclosed by researcher Craig Young at security firm Tripwire, works by exploiting a loophole in Google’s systems to cross-check a list of nearby wireless networks with Google’s precise geolocation look-up services.
Essentially, by using the location gleaned by nearby Wi-Fi networks through a Google Home or Chromecast, a malicious website can triangulate a user’s location. And because those devices rarely require authentication from third parties to receive data on local networks, bad actors could exploit the generous permissions to collect that sensitive data. Here is Krebs explaining how Google’s geolocation data gives it the ability to “determine a user’s location to within a few feet” and differs greatly from your standard IP-based geolocation:
It is common for websites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor’s hometown or region. But this type of location information is often quite imprecise. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically.
This is typically not the case with Google’s geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location. Armed with this data, Google can very often determine a user’s location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points. [Side note: Anyone who’d like to see this in action need only to turn off location data and remove the SIM card from a smartphone and see how well navigation apps like Google’s Waze can still figure out where you are].
“I’ve only tested this in three environments so far, but in each case the location corresponds to the right street address,” Young told Krebs. “The Wi-Fi based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people’s phones.” Compared to IP-based geolocation, which is only accurate to about two to three miles around the device, the method using Google’s data is precise to about 30 feet. That makes it useful for determining exact addresses where a Chromecast or Google Home is connected to local Wi-Fi. Here is Young demoing the bug in action:
According to Krebs, Google only agreed to issue a fix once he contacted them and made clear he was intending to write about the issue. (Young had previously contacted Google, but the company considered the geolocation issue an “intended behavior.”) The fix is expected to arrive sometime in the middle of July.