Google Home and Chromecast devices allow attackers to uncover the precise physical locations of the connected gadgets thanks to two common internet of things issues present in both. A fix from Google is incoming in July.
“The confluence of these properties means that web browsers and, therefore, websites can sometimes interact with network devices,” Young explained in a blog post on Monday. “It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things such as setting the device name and WiFi connections are sent directly to the device without any form of authentication.”
“Starting from a generic URL, my attack first identifies the local subnet and then scans it looking for the Google devices, and registers a subdomain ID to initiate DNS rebinding on the victim,” Young noted.
The code being served by the malicious URL asks the Google device for a list of nearby wireless networks; and then, by running that list through the Google Maps geolocation service, the user’s location can be uncovered thanks to Wi-Fi triangulation that makes use of WiFi access point maps collected by the millions of phones opted into Google’s enhanced location services. The effort takes around a minute, according to Young.
The accuracy is notable: “If you’ve ever explored the HTML5 location API, you’ll probably agree that it’s nothing short of amazing,” Young said. “Even without a GPS receiver, [Google] Maps has typically been able to locate my machine within 10 meters.”
Using the DNS rebinding software, he created a basic end-to-end attack that worked in Linux, Windows and macOS using Chrome or Firefox. However, Young told Threatpost that an attack could also be carried out via a malicious mobile app.
“If you think about it in the context of an Android or iPhone app—these can connect to anything on your network,” he told Threatpost. “It’s able to see the IP address of phone and check nearby devices. ”
He added, “There are a lot of ways attackers could get clever and map out home networks. If you have a device and it allows you to do something without a password, it’s very likely that an attacker can do the same using a malicious mobile app or via web pages with DNS binder rebinding, or via some other technique we haven’t thought of yet.”
In addition to allowing criminals to physically track down devices and potentially arming an attacker with geo-data that can be used to craft more believable phishing or extortion messages, it also allows a third party to correlate who shares the household.
“Say a website gives you a tracking cookie,” explained Young in the interview. “Someone could run this attack and pull some unique information from the home network, to correlate whether there’s a connection between the cookie and the network.”
The problems are not specific to Google devices, it should be noted.
“There are many, many IoT devices out there with these issues,” Young said.
The only way to completely mitigate the risk of being tracked by these kinds of devices is to disconnect them, according to Young, although using professional network segmentation or a separate router for connected smart-home items can help thwart attacks. Users should also be mindful of what websites or apps are loaded while on the same network as the devices.
Also, “those using DD-WRT [Linux platform for routers] might be getting protection from this by default as long as devices pointed to router for DNS,” explained Young.