Google knows users’ exact locations and the information could be stolen by hackers via Google Home speakers or Chromecast devices, according to security researcher Craig Young from Tripwire.
This sensitive data not only tells hackers where users lives, can also lead scammers to create convincing fake messages to demand cash from users.
It is commonly known that websites keep records of visitors’ IP addresses, which may be traced to a town or a region. The data is not very precise and may point to a location that is 10 meters from the device itself.
Google’s geolocation data, however, is different from an IP address. With comprehensive maps of wireless routers around the world, Google matches each individual Wi-Fi network to a corresponding physical location.
If a device is running without GPS, Google can still precisely track its location. Even in a densely populated area, Google can still pinpoint the location with just a few feet of difference in distance.
This location data is what hackers obtain from Google Home or Chromecast, says Young’s research.
How the research works
Young set up a website running malicious software first. When users open this website on their computers, the site will start to search and try to find a Google Home or Chromecast device connected to the same router that the computer connects to, and then send a request to the Google device to get the location data.
The website may be an advertisement or a tweet. Once the link is opened for about one minute, the location data is retrieved. Hackers may ask the Google device for a list of a nearby wireless networks and send the list to Google’s geolocation lookup services.
When Young first reached out to Google to talk about the issue in May, the search giant replied that it won’t fix the bug. After the story was published by KrebsOnSecurity, Google changed its stance and said that a patch for Chromecast and Google Home speakers will arrive in July 2018.