Google Home’s recently publicised bug represents a larger problem with IoT security in general.
While adoption of at-home IoT devices is on the increase, with plenty of people enjoying the convenience a digital assistant brings, there are some problems that don’t seem to be going away.
The latest in a string of IoT security issues revolves around Google Home devices leaking user locations to an accuracy of just a few metres.
Security researcher at Tripwire, Craig Young, found an authentication weakness that leaks user location data in both the Google Home and Chromecast devices. He said the attack works by requesting a list of nearby wireless networks from the Google device and then sending that list to Google’s geolocation directory services.
“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told Krebs on Security. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”
Home network issues
While the Home app on a user’s phone performs tasks through Google’s cloud services, other tasks – such as setting a device name and Wi-Fi connection – are directly sent to the Home or Chromecast without authentication. Using domain name system (DNS) rebinding software, location lookup services can then be exploited to a high level of accuracy.
Young has tested the bug in three environments and found that the location corresponded to the correct street address each time. In an attack example, the individual targeted needs to open and remain on a webpage for approximately a minute while connected to the same network as their Google device. While this is happening, the Wi-Fi network is scanned and any connected Google devices are revealed, along with their specific location data.
Assume data is accessible to adversaries
While it may be arduous for bad actors to pull a malicious attack off using these methods, it does mean that it is difficult to now view home networks as ‘trusted’ by default. Young did add, though, that people should “assume that any data accessible on the local network without credentials is also accessible to hostile adversaries”.
Google is set to debut a fix for the bug in the middle of July. There is a risk that phishing campaigns could use the bug to add gravitas to their strategies – by having a victim’s home address in an email, it may make them more likely to believe links within to be both official and benign.
Not just Google devices with this issue
Young noted that the issues he found are not solely applicable to Google devices. “Over the years that I’ve been auditing embedded devices, it is not the first time that I’ve seen a device supplying Wi-Fi survey data or other unique device details like serial numbers. Smart TVs, for example, commonly identify themselves with a unique screen ID as part of the DIAL protocol used to support Cast-like functionality.”
He recommends looking at segmenting your home networks; for example, having one network as your main home hub and another for connected devices. A simple way of doing this is adding another router on the network designated specifically for connected devices. Enabling DNS rebind protection is also recommended.