Here is a new example of the risks associated with a misconfigured connected devices, an area where even Google makes mistakes. Suppose a user is quietly at home surfing the web. This user also has a Google Home or Chromecast connected to their local network. Security researcher Craig Young of Tripwire discovered that it was enough to take this user on a website trapped to reveal its location with an accuracy of a few meters. Worrying? no?
This information leak is explained by a bad design of the parameterization functions. Google’s connected devices can indeed be configured from the local network, using the mobile home application installed on a smartphone. But connections are made with a low level of security, in HTTP and without any authentication. A browser running on a computer connected to the local network could therefore easily pretend to be the home application and send queries to Google devices.
Attack by DNS Rebinding
According to the KrebsOnSecurity site, Google has taken note of this security breach and intends to deploy a patch in mid-July. Until then, users of Google Home and Chromecast have an interest in not surfing on shady sites. Another way to protect yourself and buy a second Wi-Fi hotspot and connect your WAN port to one of the Internet box’s LAN ports. We then have two wireless networks: one to surf the web, the other to connect to connected objects. This partitioning will prevent requests sent by the browser to reach these devices. It is a little painful, but much more secure.