Google Chromecast and Home Speaker can leak location data to websites

It’s been recognised for years that Wi-Fi networks are a great way to find out where people are located – and living – to within an accuracy of a few metres.

Given that Google’s Maps geolocation lookup is one of the main ways this data is gathered, one might assume the company would take extra care to make sure this valuable information isn’t leaked.

Not so, according to Tripwire researcher Craig Young, who has discovered that two of its products, the Chromecast streaming dongle and Home Speaker, have design weaknesses that could be exploited to let malicious attackers get hold of users’ geolocations.

It turns out that the Home app used to configure these devices sets the device’s name and specifies its Wi-Fi connection using an insecure local backchannel with no requirement for authentication, for example being logged into a Google account.

The OS doesn’t matter – his Proof-of-Concept worked on Windows, macOS, Linux, while using Chrome or Firefox.

The end result is that a remote attacker could lure someone to a website and use the lack of authentication to execute a DNS rebinding attack to interrogate those devices as long as the page is held open for a minute or so.

This included grabbing accurate location data from Wi-Fi geolocation which, contrary to what most people assume, can be as accurate and usually faster than gathering the same information via GPS.

Wait – Wi-Fi can be better at locating people than GPS? Surprisingly, yes, which is why this method has become so important to many companies, not only Google.

How it does this is through the Service Set Identifier (SSID) which is the Wi-Fi network name, as well as by noticing the router’s unique hardware MAC address.

Every time a device such as an Android phone with high-accuracy GPS turned on connects to that router, Google associates the identifiers it already has (the SSID and MAC) with that location.

By analysing the SSID’s signal strength, over time it becomes possible to know where that router is with some accuracy.

This is great in built-up areas, because Google can feed accurate location data built from an understanding of Wi-Fi to other devices that either have their GPS turned off or can’t reach it at all.

You can test this by opening Google Maps inside Chrome’s incognito mode on a smartphone with GPS turned off and clicking on the ‘My Location’ target icon in the bottom right hand corner.

Says Young:

Maps has typically been able to locate my machine within 10 meters.

But it also means that a remote attacker could do the same, using the Chromecast or Home devices to access the information they need.

It’s not hard to imagine why an attacker might want to know where somebody lives, he told the Brian Krebs website.

The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns. Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.

What’s slightly unsettling is that when informed of the issue, at first Google reportedly closed it with a “Status: Won’t Fix (Intended Behavior)” message.

When Krebs contacted them, lo and behold the company had a sudden change of heart, saying it will issue a fix for the weakness in its devices in mid-July.

There isn’t really a short-term fix for this issue short of disconnecting these devices until new software becomes available. Even turning off SSID broadcast wouldn’t be sufficient and would simply make life inconvenient for the router’s users.

With warnings about poor Internet of Things (IoT) security now routine, it’s still a surprise that Google would let its devices get caught out by DNS rebinding, essentially a way to attack a private network using the browser as a proxy. (In a similar vein, remember 2014’s Chromecast Rickrolling?)