From The Verge: Google plans to release a patch sometime in the next few weeks to fix a bug in its Home smart speaker and Chromecast TV streaming stick that lets a website collect precise user location data, according to a report from security reporter Brian Krebs. The bug, disclosed by researcher Craig Young at security firm Tripwire, works by exploiting a loophole in Google’s systems to cross-check a list of nearby wireless networks with Google’s precise geolocation look-up services.
Essentially, by using the location gleaned by nearby Wi-Fi networks through a Google Home or Chromecast, a malicious website can triangulate a user’s location. And because those devices rarely require authentication from third parties to receive data on local networks, bad actors could exploit the generous permissions to collect that sensitive data. Here is Krebs explaining how Google’s geolocation data gives it the ability to “determine a user’s location to within a few feet” and differs greatly from your standard IP-based geolocation:
It is common for websites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor’s hometown or region. But this type of location information is often quite imprecise. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically.
This is typically not the case with Google’s geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location. Armed with this data, Google can very often determine a user’s location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points. [Side note: Anyone who’d like to see this in action need only to turn off location data and remove the SIM card from a smartphone and see how well navigation apps like Google’s Waze can still figure out where you are].
View: Article @ Source Site
