Google Home security breach sends your location to hackers
Google says it's fixing the problem in July
Google Home and Chromecast can send their specific location to people running a program that dupes the devices to revealing where they are by the network they're connected as they work.
Discovered earlier this year, the problem came to Google's attention by a Tripwire researcher Craig Young — but the tech giant dismissed the issue. That is, until KrebsonSecurity, came knocking back on Google's door, getting the company to agree to build a patch by mid-July.
The attack requires someone to click on a phishing link — which runs a script that locates the location of the devices in about a minute. Details are specific enough down to a street address.
Google Home isn't immune to kinks in its system. When first released, the Google Home Mini was caught recording everything it heard, and sending the data back to Google. Both Amazon Alexa and Google Home required patches in 2017 from the Bluetooth-based BlueBourne hack. And most recently, Amazon admitted an Echo smart speaker recorded a couple at home, saved the audio, and sent the files to someone on their contact list — all on its own.
Clicking on a rogue link through a smartphone or computer can give hackers access to the location where a Google Home or Chromecast sits, if it's connected to the same network.iStock
It's no wonder two-thirds of adults in six countries have expressed concerns about their smart devices being hacked.
Sending the exact address of a device's location gives more personal information to hackers who, as Young said, could use the details to make other kinds of threat attacks, seem more real.
The best way to protect devices from being hacked is of course to unplug them. That's not ideal, as that renders any connected gadget into a fancy expensive brick — probably not why someone bought them in the first place.
Young suggests adding a second router for connected devices, separate from a router kept from heavily used smartphones and computers. That doesn't completely keep everything safe from intrepid hackers— but it does add another step which for some script kiddies may be enough of headache to take.