- Feb 4, 2016
- 2,520
Google Home and Chromecast devices allow attackers to uncover the precise physical locations of the connected gadgets thanks to two common internet of things issues present in both. A fix from Google is incoming in July.
At issue is, like many other IoT devices, they don’t require authentication for connections received on a local network; and, locally HTTP is used to configure or control embedded devices. Tripwire researcher Craig Young found as a result, an attacker can use DNS rebinding to carry out an attack. This is a technique where JavaScript in a malicious web page is used to communicate with or gain control of a victim router or other target device that uses a default password and web-based administration.
“The confluence of these properties means that web browsers and, therefore, websites can sometimes interact with network devices,” Young explained in a blog post on Monday. “It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things such as setting the device name and WiFi connections are sent directly to the device without any form of authentication.”