Earlier today it was discovered by TripWire that there’s an authentication vulnerability that could allow hackers to obtain a user’s location using these Home devices.
The Home app on a user’s phone typically uses Google cloud services while performing tasks. Other tasks, however, such as setting the device’s name or connecting the device to Wi-Fi, get sent directly to the Home or Chromecast without authentication.
Using domain name system rebinding software allows attackers to exploit and obtain nearby wireless networks and use Google’s location lookup services to obtain the location of a user to an accuracy of a few feet.
Attackers don’t need to be connected to a user’s local network, they just require a user to open a link while connected to the same network as the affected device. The user is also required to keep the link open for roughly a minute.
Until there’s a fix, there’s a risk Google Home and Chromecast owners could be scammed and blackmailed using private location information.
Google’s fix is expected to arrive in mid-July.