Google will fix Home and Chromecast bug that reveals your location

These devices are truly nothing short of fantastic, but they aren't ideal.

Craig Young, a researcher with security firm Tripwire, said he discovered an authentication weakness that leaks incredibly accurate location information about users of both the smart speaker and home assistant Google Home, and Chromecast, a small electronic device that makes it simple to stream TV shows, movies and games to a digital television or monitor.

The bug in these devices essentially allows any website to see nearby wireless connections and cross-reference with Google's database to determine the precise location of the user. How does it all work? If the URL is clicked and the webpage is kept open for around a minute, the user's home Global Positioning System location is found - and subsequently exploited. You have to assume that even mildly sensitive info transmitted in the clear can serve as an avenue for attack, and Google has learned that lesson the hard way.

Above you'll see the attack in action. It simply requires that you click a link and leave that page open for about a minute to actually obtain the location data. Once the list is received, the victim's precise location can easily be obtained by feeding the list to Google's location services. "Starting from a generic URL, my attack first identifies the local subnet and then scans it looking for the Google devices and registers a subdomain ID to initiate DNS rebinding on the victim", said Young.

Telstra hit by mobile outages in major Australian cities
It's not just you - 3G, 4G and NBN Telstra services across most capital cities are experiencing outages right now. Network-monitoring website aussieoutages .com reported users had been having problems since earlier this morning.

Hot & Humid Weather Hits the Twin Tiers, NWS Issues Heat Advisory
Heat stroke , where the body temperature exceeds 104 degrees, is often kicked off by fainting, the website said . The strongest of those storms could bring damaging wind gusts, according to the weather service.

Chris Pratt & Katherine Schwarzenegger Seen Having a Picnic Together in New Photos
Although she comes from a Hollywood background, Schwarzenegger isn't in show business per se. If you don't know, Katherine is an author, interior designer and lifestyle blogger.

The location exploit is risky, as Young explains "The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns", he said. When the researcher initially filed a bug report to Google describing the issue, the company dismissed the report, closing it with the message "Won't Fix [Intended Behavior]". But when Krebs contacted Google about the location leak, the company reversed its decision to announce a software update would ship in mid-July 2018 to fix it.

In the meantime, Young offers a temporary solution for those who want to protect themselves.

A much easier solution is to add another router on the network specifically for connected devices. By connecting the WAN port of the new router to an open LAN port on the existing router, attacker code running on the main network will not have a path to abuse those connected devices.

There's no evidence this attack is being used in the wild, but Young suggests IoT devices should be on a separate network from your computer.

Related:

Comments

Latest news

Koepka fends off Fleetwood charge to win US Open
And unlike at Erin Hills, where he pulled away late with birdies, it was his par (and bogey) saves that kept Koepka afloat on Nos. Dustin Johnson , part of the four-way tie for the lead to start the final round, had an even-par 70 to finish alone in third.

Trump slams media coverage of North Korea summit
North Korea has always reacted to the Ulchi exercises with belligerence and often its own demonstrations of military capability. Editorials have also urged the global community to relieve sanctions against the regime as a reward for denuclearization.

Emilia Clarke bids farewell to Game of Thrones
Earlier this month, the Game of Thrones cast gathered for a wrap party in Ireland . "It f.ed me up". One shouldn't assume from Clarke's message, by and by, that Clarke has completed filming yet.

China Calls Fresh US Tariff Threat "Blackmail", Warns Of Countermeasures
The German share price index, DAX board, is seen at the stock exchange in Frankfurt, Germany, March 20, 2018. The escalation in the dispute with China may also serve as a warning to other trading partners with whom Mr.

Premier, lord mayor focus on safety after death of Eurydice Dixon
Ms Douglas said she was motivated to organise a Perth vigil after hearing about superintendent Clayton's statement. Some were angry that the onus appeared to be on victims to avoid being harmed, rather than those doing the harm.

Lisa Armstrong shares 'heartbreak' after claims of Ant McPartlin's 'new romance'
After the reports emerged yesterday, Lisa took to Twitter to address them in view of her 124,000 followers. Knowing someone is there for him has brought him back from the brink - she's put him back together again'.

ZTE shares plunge after Senate bill passage sets up battle with Trump
Tennessee Senator Bob Corker said the president signaled that he will not veto the defense bill if senators block the agreement. Since trading resumed last week, the stock has lost 38 percent or more than $7 billion in market value.

'The story isn't over' - Fekir's agent gives Liverpool hope after failed transfer
Lyon are eager to find a buyer for Nabil Fekir after the collapse of his transfer to Liverpool . The fee was agreed, personal terms were ironed out - and then the move fell through.

Debit cards overtake cash payments in the UK
At the time, earlier this month, Visa apologised and said the outage was not down to "unauthorised access or a cyber attack". The annual report into the way consumers make payments revealed that the United Kingdom is a nation of spontaneous spenders.

Terry Gilliam loses the rights to 'The Man Who Killed Don Quixote'
He's survived natural disasters, actor departures, heart attacks, and countless other obstacles to bring this movie to life. Who knows? nearly all the outcomes are bleak, and further proof that The Man Who Killed Don Quixote is absolutely hexed.

XXXTentacion reportedly shot in Miami
Last month Spotify backpedaled on a planned anti-hate policy to remove XXXTentacion's music from its playlists, along with R. Friends and collaborators such as Ski Mask The Slump God and Diplo expressed their disbelief and heartbreak on Twitter .

Alabama bishop calls on government to reunite immigrant families
Releasing parents who bring children across the border would be tantamount to giving them "a get out of jail free card", Nielsen said.

FIFA probes chants by Mexico fans for homophobia
Germany had several chances to equalize late in the game, but Mexico , a team built on "social attachment", fought hard to seal their win.

Millennials are the worst when it comes to tipping, says this study
The survey says the millennial generation - those ages 18 to 37 - are cheap when it comes to taking care of restaurant servers. NEW YORK-U.S. millennials are quick to whip out their wallets for pricey avocado toast and craft beer.

Niece Wears Princess Diana's Marriage Tiara For Her Own Wedding
Meanwhile, Princess Diana's family was represented at the wedding by Prince Harry and his new wife, Meghan Markle . McCorquodale ― the daughter of Diana's oldest sister, Lady Sarah McCorquodale ― put a lot of history on her head.

Other news