IoT devices have been causing nothing but trouble in terms of security. Whether it is always-on microphones or using unprotected devices in a botnet, something is always going wrong. Google’s Home and Chromecast are next in a long list after it was discovered they were both leaking location data.
Craig Young, a security researcher for Tripwire, initially found the flaw. He said the attack works by asking a Google device for a list of close wireless networks and then cross-references that list with Google’s geolocation lookup services.
Young spoke to KrebsOnSecurity about the flaw: “An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,”
Young first reached out to Google about this issue in May, but they simply closed his bug report with a “Status: Won’t Fix (Intended Behavior)” message. However, now that the story has made it out to the public, Google has since confirmed that it will be working on a fix and releasing it at some point next month.
KitGuru Says: Google really needs to get its act together when it comes to device security, especially if they want their IoT devices to take off. What are your thoughts on how Google handled this issue?