Google is preparing to plug a potential privacy leak with its Google Home smart speakers and Chromecast television devices that could reveal your location.
The vulnerability was discovered by the Tripwire security firm. Researcher Craig Young blogged that the problem stems from fundamental design choices that he says are prevalent among Internet of Things devices.
One such issue, Young writes, is that such “devices rarely require authentication for connections received on a local network.”
Although the Home app you use to configure Google Home and Chromecast performs most actions using Google’s cloud, Young says that some tasks are carried out using a local HTTP server. And that’s where a remote intruder or scammer might be able to break through.
Google said it’s fixing the vulnerability, which security researcher Brian Krebs first reported on. In a statement emailed to USA TODAY, Google said that, “Security is an ongoing focus for our teams. We’re aware of the report and will be rolling out a fix in the coming weeks.”
For your location to get compromised, you would have to visit a specific website on your computer at home and stay on that website for a minute or so, possibly several minutes.
If the victim opens a link while connected to the same Wi-Fi or wired network as a Chromecast or Home device, the hacker could access the user’s location, said Young.
Young wrote that in his own tests, “I was not only able to hijack the screen attached to my Chromecast but I was actually able to use data extracted from the devices to determine their physical location with astonishing accuracy.”