Google’s Newest Feature: Find My Home

The commoditization of personal data in recent years has created huge opportunities for anyone with the skills to collect, catalogue and correlate every aspect of our lives. For many years now, there has been a war between browser vendors and unscrupulous advertisers looking for tricks to uniquely identify users and track their movements across websites. Mozilla, for example, has implemented a long list of protections against browser fingerprinting within Firefox and EFF’s Privacy Badger anti-tracking browser plugin has more than one million installs across Firefox and Chrome.

Despite all of these efforts to thwart unwanted online tracking, it turns out that our connected gadgets may not only uniquely identify us but, in some cases, they can reveal precise physical locations. In this blog post, I will reveal a new attack against Google Home and Chromecast devices that does exactly that.

These problems stem from two fundamental design choices that are prevalent among IoT devices:

1. Devices rarely require authentication for connections received on a local network
2. HTTP is frequently used to configure or control embedded devices

The confluence of these properties means that web browsers and, therefore, websites can sometimes interact with network devices. This is something I’ve talked about before with regard to using cross-site request forgery (CSRF) or DNS rebinding to achieve code execution.

Analyzing Google Cast Devices

This research started with the simple goal of creating a lab exercise for my Black Hat training demonstrating how a website can identify and commandeer screens or speakers on a local network to play Rick Astley’s “Never Gonna Give You Up.” (A ‘Drive-by Rick Roll’ if you will.) Using the IoT analysis techniques I’ve been teaching, I quickly realized a far more interesting attack surface.

It turns out that although the Home app – which allows users to configure (Read more...)