Two of Google’s most widely sold IoT devices have a privacy problem that makes it possible for hackers to pinpoint their location. Security experts Brian Krebs and Craig Young reported the findings that Google Home and Chromecast both allow unauthenticated traffic to the devices, which can return that location’s device.
This privacy gaffe presents a serious threat. Utilizing Google’s comprehensive archive of Wi-Fi network maps all around the world, geolocation can be read without the need for an active GPS connection or cellular data collection. This situation combined with the default behavior of these devices to automatically trust any other device on the same WiFi network, makes it possible for hackers to mimic local devices and request the location data from Google’s services.
“The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns,” Young noted, adding that the location data could add more credibility to scams.
Despite the apparent danger, there are some hoops for the hackers to jump through here. The vulnerability in its current form doesn’t work unless a victim loads a script from a web page, and requires roughly a minute to fully pinpoint a user’s location.
Read more about the story here.