Bug in Google Home and Chromecast devices means cyber criminals could find out EXACTLY where you live and blackmail you with the information
- Bug allows hackers to see the exact location of your home Wi-Fi router
- Hackers simply need to access a computer connected to the router
- They can then request the gadget’s location through a Home or chromecast
- Google said it plans to fix the security flaw in a software update next month
A bug in Google’s Home and Chromecast gadgets could show cyber criminals where you live.
The glitch allows hackers to access the exact location of your Wi-Fi router via a malicious link that could be sent to you via email or social media.
It was found by security researcher Craig Young, who said the issue allows cyber criminals to find your address or make scam messages more convincing.
These include fake calls from the IRS or demands for cash from hackers making phony claims that they have webcam footage of the victim watching pornography.
Google said it plans to fix the security flaw, which leaks your location with an accuracy of up to a few feet, in an update next month.
Scroll down for video
A bug in Google’s Home (left) and Chromecast (right) gadgets could show cyber criminals where you live. The glitch allows hackers to access the exact location of your Wi-Fi router via a malicious link that could be sent to you via email
The bug was first reported Monday by Mr Young, a security expert at software firm Tripwire, based in Portland, Oregon.
Mr Young found he could access router location data stored on a Home or Chromecast gadget via a computer connected to the same network.
‘I was actually able to use data extracted from the devices to determine their physical location with astonishing accuracy,’ he wrote in a blog post.
Google collects information about the precise location of your Wi-Fi router so it can pinpoint your position without a GPS signal.
This allows the company to give you your location on its maps service, for instance, even when you are using a device with no GPS function, such as an old laptop.
Mr Young set up a website that ran malicious software designed to remotely infect a victim’s computer and extract the location data stored on nearby Google devices.
A link to this website could be sent to victims in an email, through social media platforms like Twitter or via a malicious advertisement on a website.
Once a victim clicks on the link, the website searches for Google devices connected to the same Wi-Fi network as the infected computer.
A glitch in the Chromecast and Home software means the website can send a message requesting your router’s location without requiring authenticationC
In a test with his own computer, Mr Young found he could tease the exact location of his home router via his own Chromecast device.
Researcher Craig Young said cyber criminals could use the technique to find out the address of their victims or to make scam messages more convincing (stock image)
The hack works on both Windows and Mac computers, and could target you through either the Chrome or Firefox browser, Young found.
Hackers could use the technique to make scam messages – such as fake claims they have embarassing photos of you taken through your webcam – more convincing.
They could use your location ‘to lend credibility to the warnings and increase their odds of success’, Young said.
The researcher told KrebsOnSecurity that the hack presents a danger because it can be performed remotely from almost any location.
WHICH SMART HOUSEHOLD GADGETS ARE VULNERABLE TO CYBER ATTACKS?
From devices that order our groceries to smart toys that speak to our children, high-tech home gadgets are no longer the stuff of science fiction.
But even as they transform our lives, they put families at risk from criminal hackers taking advantage of security flaws to gain virtual access to homes.
A June 2017 Which? study tested whether popular smart gadgets and appliances, including wireless cameras, a smart padlock and a children’s Bluetooth toy, could stand up to a possible hack.
The survey of 15 devices found that eight were vulnerable to hacking via the internet, Wi-Fi or Bluetooth connections.
Scary: Which? said ethical hackers broke into the CloudPets toy and made it play its own voice messages. They said any stranger could use the method to speak to children from outside
The test found that the Fredi Megapix home CCTV camera system operated over the internet using a default administrator account without a password, and Which? found thousands of similar cameras available for anyone to watch the live feed over the internet.
The watchdog said that a hacker could even pan and tilt the cameras to monitor activity in the house.
SureCloud hacked the CloudPets stuffed toy, which allows family and friends to send messages to a child via Bluetooth and made it play its own voice messages.
Which? said it contacted the manufacturers of eight affected products to alert them to flaws as part of the investigation, with the majority updating their software and security.
‘An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,’ Young said.
‘The only real limitation is that the link needs to remain open for about a minute before the attacker has a location.
‘The attack content could be contained within malicious advertisements or even a tweet.’
In a statement, a Google spokesperson said a fix for the flaw is expected in July.
Source: Read Full Article