Security News Google Home, Chromecast Leak Location Information (fix from Google is incoming in July)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Google Home and Chromecast devices allow attackers to uncover the precise physical locations of the connected gadgets thanks to two common internet of things issues present in both. A fix from Google is incoming in July.

At issue is, like many other IoT devices, they don’t require authentication for connections received on a local network; and, locally HTTP is used to configure or control embedded devices. Tripwire researcher Craig Young found as a result, an attacker can use DNS rebinding to carry out an attack. This is a technique where JavaScript in a malicious web page is used to communicate with or gain control of a victim router or other target device that uses a default password and web-based administration.
“The confluence of these properties means that web browsers and, therefore, websites can sometimes interact with network devices,” Young explained in a blog post on Monday. “It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things such as setting the device name and WiFi connections are sent directly to the device without any form of authentication.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top