Google is working on to release a patch for a bug that reveals user’s location. The issue was first discovered by researcher Craig Young who works at a security firm Tripwire. The bug impacts Chromecast and Google Home.
According to Young, the bug allows a website to collect user’s precise location data by exploiting a loophole in Google’s systems to cross-check a list of nearby wireless networks with Google’s precise geolocation look-up services.
I’ve only tested this in three environments so far, but in each case the location corresponds to the right street address. The Wi-Fi based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people’s phones.
– Craig Young
Devices like Chromecast and Google Home usually don’t require authentication from third parties to receive data on local networks, bad actors could exploit the generous permissions to collect that sensitive data.
It is common for websites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor’s hometown or region. But this type of location information is often quite imprecise. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically.
This is typically not the case with Google’s geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location. Armed with this data, Google can very often determine a user’s location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points. [Side note: Anyone who’d like to see this in action need only to turn off location data and remove the SIM card from a smartphone and see how well navigation apps like Google’s Waze can still figure out where you are].
– Brian Krebs
Krebs has already contacted Google who in turn has agreed to fix the issue. The company is targeting mid-July for the release of the patch.