A little-known behavior in Chrome OS could reveal a user’s movements through Wi-Fi logs. Leveraging Chrome OS’s Guest mode feature, the attack would require physical access to the device, but it can be executed without knowing the user’s password or having login access.
The bug was flagged to The Verge by the Committee on Liberatory Information Technology, a tech collective that includes several former Googlers.
“We are looking into this issue,” said a Google spokesperson. “In the meantime, device owners can turn off guest mode and disable the creation of new users.” Instructions for turning off Guest browsing are available here.
“anyone with quick physical access to the device could potentially get in as guest”
The bug stems from the way Chromebooks treat their Wi-Fi logs, which show when and how a computer connects to the broader internet. The logs can be confusing for nontechnical users, but they can be deciphered to reveal which Wi-Fi networks were in range of the computer. Combined with other available data, that could reveal the owner’s movements over the period of time covered by the logs — potentially as long as seven days.
Because Chrome OS keeps those logs in unprotected memory, they can be accessed without a password. Simply opening a Chromebook in Guest mode and navigating to a standardized address will bring up the logs in local storage. That will show all logs for the computer, even ones generated outside of Guest mode.
Electronic Frontier Foundation researcher Andrés Arrieta confirmed the attack and said it was of particular concern for targeted and marginalized communities. While the bug wouldn’t be useful to conventional cybercriminals, it’s a potentially devastating privacy issue for those worried about surveillance from family members or co-workers.
“It’s worrisome because anyone with quick physical access to the device could potentially get in as guest and quickly take some logs, and out details of location,” said Arrieta. “Security teams should try to better understand the potential repercussions of those bugs for all their users and include that in their assessment and prioritization of bugs.”