A cyber security researcher (Tripwire) recently discovered a security breach in Google Home and Chromecast products. Craig Young discovered that through a script executed from a website, it is possible to locate the owners’ home. Until now, the Google Home wizard and its Chromecast video streaming system had not been impacted by such security holes. Following an uncorrected flaw in the protection of personal data, the researcher showed that he was able to geolocate very precisely (to within 10 meters) the housing of the owners of Google Home and Chromecast.
In this case, the location information was sent to a website without the users’ knowledge. The “hacker” obtained the list of Wi-Fi networks from GoogleHome and Chromecast. Through the access to data based on IP addresses of devices, he was able to locate a home and even a person connected on one of these networks with a smartphone. Google’s response was first to say that this was simply a voluntary feature and then to finally acknowledge the flaw. The Google managers will finally inject a patch by update in July. Home automation assistants expose themselves to significant risks and endanger the sensitive data of their users. This type of flaw highlights the notion of “privacy by design” that manufacturers must respect before any commercialization (RGPD). Securing home networks has become an obligation, at the risk of no longer considering them as trusted environments.