HomeGoogle Home and Chromecast can reveal your home address

Google Home and Chromecast can reveal your home address

by
68facf2f4a6a2c85968a21e8bfd1

Here is a new example of the risks associated with a misconfigured connected devices, an area where even Google makes mistakes. Suppose a user is quietly at home surfing the web. This user also has a Google Home or Chromecast connected to their local network. Security researcher Craig Young of Tripwire discovered that it was enough to take this user on a website trapped to reveal its location with an accuracy of a few meters. Worrying? no?

This information leak is explained by a bad design of the parameterization functions. Google’s connected devices can indeed be configured from the local network, using the mobile home application installed on a smartphone. But connections are made with a low level of security, in HTTP and without any authentication. A browser running on a computer connected to the local network could therefore easily pretend to be the home application and send queries to Google devices.

Attack by DNS Rebinding

That’s exactly what the Craig Young website does. Equipped with a malicious Javascript code hidden in an iframe, this trapped page will first retrieve the local IP address of the computer using the WebRTC API. It will then browse the various possible local IP addresses and send them geolocation requests. As you can see in a YouTube video, it only takes a few minutes to recover this information, which is all the more accurate as Google relies on a database of Wi-Fi access points to do triangulation.

[jetpack-related-posts]

This hack is based on a well-known technique called “DNS Rebinding”. It is a sleight of hand that allows you to execute a Javascript code not on the server of the trapped website, but on a local web server. All the attacker needs to do is to have a DNS server which, when resolving the domain name, will first point to the hacker’s web server to retrieve the Javascript code, then on a local address to execute code.

According to the KrebsOnSecurity site, Google has taken note of this security breach and intends to deploy a patch in mid-July. Until then, users of Google Home and Chromecast have an interest in not surfing on shady sites. Another way to protect yourself and buy a second Wi-Fi hotspot and connect your WAN port to one of the Internet box’s LAN ports. We then have two wireless networks – one to surf the web, the other to connect to connected objects. This partitioning will prevent requests sent by the browser to reach these devices. It is a little painful, but much more secure.

  • How To Use ADB and Fastboot Commands On Android
  • How to Change DNS Server On Android 10 (Quince Tart), 11 (Red Velvet Cake), 12 (Snow Cone)
  • The best public DNS servers for free on the Internet
  • Google DNS complete guide
  • Change DNS on Smart TV and other Devices
  • What DNS Server Am I Using? Here Is How To Find Out
  • DNS server – the best to surf faster and more safely
  • How to Fix Spotify Error Code 4
  • Firefox Quantum + Focus – The fastest, smoothest browser 2024
  • 14 Best Free TV Streaming Applications For Android Phones
    • author image

    About Author

    Samuel Afolabi is a lazy tech-savvy that loves writing almost all tech-related kinds of stuff. He is the Editor-in-Chief of TechVaz. You can connect with him socially :)

    Leave a Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    TechVaz.com is a professional review site that receives compensation from the companies whose products we review. We test each product thoroughly and give high remarks to only the very best. We are independently owned and the opinions expressed here are our own. We are also a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. See our Affiliate Disclosure page.