A bug has been discovered in two of Google's smart home products, which could give away your exact location to potential cyber criminals. The software defect affects both the Google Home and Chromecast devices, when connected to your Wi-Fi router.
The software glitch
A security researcher named Craig Young, who works for an Oregon-based firm in the USA, discovered the bug on Monday. It's said that the defect could allow hackers to access the location of a Wi-Fi router in your home by using a malicious software link. This link could be disguised inside of an email message or text message, for example.
After connecting his computer to his own home Wi-Fi network, Mr Young was able to access and gather information about his internet router by using the Google Home and Chromecast devices that were also using the same connection.
“I was actually able to use data extracted from the devices to determine their physical location with astonishing accuracy.” – Mr Young
The technical jargon
When you use a Google location-based service like Google Maps, information about your precise location is collected by Google's services so that you can be pinpointed without the need for a GPS (Global Positioning System) signal. This allows the company to provide you with services that depend on location, like Maps, or exercise-based mobile applications.
Mr Young figured that if this data was being collected by smart home devices, which have not yet been proven to be completely secure, then it may also be possible to gain access to this location data. So, the security researcher set up a website running malware (malicious software) designed to infect any visiting computer with a virus. This virus would then capture the location data being used by Google devices connected to the same router.
The website wasn't created to purposefully exploit anyone's data, but rather to highlight the problem. Security researchers like Mr Young are tasked with exploring and exposing major security flaws before they can be used to target real people.
Could you be affected?
The defect was found to affect both Windows and Mac machines, with the website capable of attacking you through either the Google Chrome or Mozilla Firefox browsers. If a cybercriminal were to engineer the same type of website as Mr Young, and distribute links to the website, then theoretically the same effect could be achieved. Once the third party had access to your data, then they could potentially use it against you.
Though the location data may not seem like sensitive information, fraudsters could potentially use knowledge of your home address to make other scams seem legitimate, such as false telephone scam calls claiming to be from your bank. Alternatively, they could skim your social media profile for holiday snaps, burglarising your property whilst you’re out of the country.
Thankfully, Google have immediately jumped on the issue and have already issued a statement. They intend on releasing a security patch for the defect in July, so it won’t be long until you’re protected against this potential new problem.
If you have any concerns about your security, then WiseGuys could help you to vet your personal device security. We can advise you on setting up a VPN (Virtual Private Network) for better protection online, or on anti-virus software for your desktop machines. If you need to get in touch with us, you can reach us on 0808 123 2820.