large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Google Home and Chromecast devices could be giving away your location

Google is planning to release a patch for a worrying IoT security vulnerability that can enable precise location tracking of Home speaker and Chromecast users.

Security researcher Craig Young of Tripwire claims to have found an authentication weakness that dishes near-pinpoint location data on users, via their smart home gadgets.

An intruder could use a malicious website to exploit a loophole in Google’s back-end systems and “determine a user’s location to within a few feet.”

Related: Google Home review

Young says it works by asking the Google device for wireless network devices nearby and then sending the list to the company’s own geolocation services. The exploit requires the user to click and remain on the page for a minute in order to give up their location, but it’s worrying nonetheless, especially considering the attacker doesn’t have to be on the local network.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity (via Engadget).

“The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

Young created a video of the exploit in action, which has been successful in three environments and gleaned a precise street address on each occasion.

He added: “The Wi-Fi based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people’s phones.”

After Young’s initial inquiries were brushed off, Krebs followed up with Google, who said the fix is coming sometime within the next month.

Do you think we’ve moved too fast with IoT devices? Are the continuing security worries enough to keep them out of your home? Drop us a line @TrustedReviews on Twitter.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.