Physical access to the device is required
Little-known behavior in Chrome OS can reveal a user’s movements through Wi-Fi logs. Taking advantage of Chrome OS’s guest mode feature, the attack would require physical access to the device, but can be performed without knowing the password user or without login access.
The bug was signaled to The Verge by the Committee on Liberatory Information Technology, a technology collective that includes several former Googlers.
“We are investigating this issue,” said a Google spokesman. “In the meantime, device owners can turn off guest mode and disable the creation of new users.” Instructions for disabling guest browsing are available here.
The bug stems from the way Chromebooks handle their Wi-Fi logs, which show when and how a computer connects to the wider Internet. The logs can be confusing for non-technical users, but they can be decrypted to reveal which Wi-Fi networks were within range of the computer. Combined with other available data, which can reveal the owner’s movements over the period of time covered by the logs – potentially up to seven days.
Since Chrome OS keeps these records in unprotected memory, they can be accessed without a password. Just open a Chromebook in guest mode and navigate to a standardized address to open records in local storage. This will show all records on the computer, even those generated outside Guest mode.
Electronic Frontier Foundation researcher Andrés Arrieta confirmed the attack and said it was a special concern for target and marginalized communities. Although the bug is not useful for conventional cybercriminals, it is a potentially devastating privacy problem for those concerned with the surveillance of family members or co-workers.
“It is worrying because anyone with quick physical access to the device can potentially log in as a guest and quickly take some records and location details,” said Arrieta. “Security teams should try to better understand the possible repercussions of these bugs for all their users and include this in their bug assessment and prioritization.”