Google Home and Chromecast devices could be giving away your location

Google is planning to release a patch for a worrying IoT security vulnerability that can enable precise location tracking of Home speaker and Chromecast users.

Security researcher Craig Young of Tripwire claims to have found an authentication weakness that dishes near-pinpoint location data on users, via their smart home gadgets.

An intruder could use a malicious website to exploit a loophole in Google’s back-end systems and “determine a user’s location to within a few feet.”

Related: Google Home review

Young says it works by asking the Google device for wireless network devices nearby and then sending the list to the company’s own geolocation services. The exploit requires the user to click and remain on the page for a minute in order to give up their location, but it’s worrying nonetheless, especially considering the attacker doesn’t have to be on the local network.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity (via Engadget).

“The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

Young created a video of the exploit in action, which has been successful in three environments and gleaned a precise street address on each occasion.

He added: “The Wi-Fi based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people’s phones.”

After Young’s initial inquiries were brushed off, Krebs followed up with Google, who said the fix is coming sometime within the next month.

Do you think we’ve moved too fast with IoT devices? Are the continuing security worries enough to keep them out of your home? Drop us a line @TrustedReviews on Twitter.