A security researcher has discovered a new flaw in Google’s Chromecast media streamer and google Home smart speaker that allows bad guys to connected gadgets to uniquely identify and, potentially, reveal precise physical locations. Using a technique called “DNS Binding”, the researcher was able to use a simple script running in the background of a website to collect data about a network and then use Google’s geolocation services to find where the device was based on local wireless networks.
“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device. The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”
Incredibly, when he reported the flaw to Google, they closed his bug report saying “Status: Won’t Fix (Intended Behavior)”. It wasn’t until some further pressure was brought to bear when the exploit became more widely known that while they thought it was intended behaviour, it was expected by anyone else. An update is expected in mid July.
This flaw exploits something that we’ve become increasingly dependent on as more devices connect to the internet. This is how devices rarely require authentication for connections received on a local network and the use of HTTP to configure or control embedded devices.
When a device connects to the internet, it’s not unusual for websites to collect the IP address of connected devices. But noting that while you may expect linking to devices relies on being authenticated into Google’s controlling app, there’s no requirement, at the protocol level to do any authentication.
Young has created a video demonstration of how he used the exploit.
There are some things you can do such as running internal devices on their own network, running your own DNS service or using third-party router software like DD-WRT that support protection against DNS rebinding.