Authentication error causes Google Home and Chromecast to leak location data
In June 2018, security researchers found that Google's smart speaker and home assistant, Google Home, and its Chromecast streaming device could be made to leak highly accurate location information because they failed to require authentication from other machines on their local network. The attack worked by requesting a list of nearby wireless networks from the Google device and sending that list on to Google's geolocation lookup service, whose map of wireless network names around the world is so extensive and highly detailed that the company can often identify a user's location to within a few feet. Executing the attack required the victim to open a link while connected to the same home network as the device and keep it open for about a minute. The attack itself could be sent inside a malicious advertisement or tweet. The information could be used to make phishing and extortion attacks appear more convincing. Google expected to correct the bug within a few weeks.
writer: Brian Krebs