A bug has been discovered in Google's Chromecast and Google Home devices, which allows any website to access Google's precise location service to find out the exact position of the devices with a margin of error of just a few feet.
Websites can usually obtain a general idea of the user's location through the IP address of the device accessing the website, but this method isn't extremely precise and the privacy of visitors is protected to some extent. Google, however, uses high-precision location services that rely on wireless networks around the user to narrow down the possible locations of the device based on the triangulation in relation to those networks. Krebs on Security explains:
It is common for Web sites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor’s hometown or region. But this type of location information is often quite imprecise. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically.
This is typically not the case with Google’s geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location. Armed with this data, Google can very often determine a user’s location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points. [Side note: Anyone who’d like to see this in action need only to turn off location data and remove the SIM card from a smart phone and see how well navigation apps like Google’s Waze can still figure out where you are].
The bug in these devices essentially allows any website to see nearby wireless connections and cross-reference with Google's database to determine the precise location of the user. Craig Young, the researcher who discovered the flaw, says that "Although Google’s app, which uses this functionality, implies that you must be logged into a Google account linked with the target device, there is, in fact, no authentication mechanism built into the protocol level". You can see the bug in action in the video below:
Young says he was only able to test the flaw in three different locations, but in each case, the location obtained by the website corresponded to the right street address. When the researcher initially filed a bug report to Google describing the issue, the company dismissed the report, closing it with the message "Won't Fix [Intended Behavior]". But upon being contacted by Krebs on Security, the company said it would fix the issue through an update scheduled for release in July.
User privacy has been a major topic of discussion recently, with Facebook often taking the spotlight for the worst reasons, but this bug - and Google's initial response to it - seem to indicate that the social network isn't the only one making some mistakes.