A little known behavior in Chrome OS can reveal a user’s movements via WiFi logs. Utilizing Chrome OS’s guest mode feature, the attack would require physical access to the device, but it can be performed without knowing the user’s password or having login access.
The bug is marked with The edge by the Committee on Liberatory Information Technology, a technology collective that includes several former Googlers.
“We are investigating this issue,” said a Google spokesperson. In the meantime, device owners can disable guest mode and disable new user creation. Instructions for disabling Guest Browse are available here
The bug stems from the way Chromebooks handle their Wi-Fi logs, which show when and how a computer connects to the wider Internet. The logs can be confusing for non-technical users, but they can be deciphered to reveal which Wi-Fi networks were within range of the computer. Combined with other available data, that could reveal owner movements during the period covered by the logs – possibly as much as seven days.
Since Chrome OS keeps those logs in unprotected memory, they can be accessed without a password. Simply opening a Chromebook in guest mode and navigating to a standardized address will show the logs in the local storage. That will show all the logs for the computer, even the ones generated outside of guest mode.
Andrés Arrieta, an Electronic Frontier Foundation researcher, confirmed the attack, saying it was of particular importance to targeted and marginalized communities. While the bug would not be helpful to conventional cyber criminals, it is a potentially devastating privacy issue for those concerned about surveillance by family members or colleagues.
“It is worrying because anyone with quick physical access to the device could potentially come in as a guest and quickly handle some logs and location information,” Arrieta said. “Security teams should try to better understand the potential impact of those bugs on all of their users and include that in their bug assessment and prioritization.”