A little-known behavior in Chrome OS can detect user movements through Wi-Fi logs. By taking advantage of Chrome OS’s guest mode feature, the attack will require physical access to the device, but it can be carried out without knowing the user’s password or having login access.
The error was flagged The Verge by the Committee on Liberatory Information Technology, a technology collective that includes several former googlers.
“We are looking into this issue,” a Google spokesman said. “Meanwhile, device owners can turn off guest mode and disable the creation of new users.”
The error stems from the way Chromebooks process their Wi-Fi logs, which show when and how a computer connects to the wider Internet. The logs can be confusing for non-technical users, but they can be deciphered to reveal which Wi-Fi networks were within range of the computer. Combined with other available data, which can reveal the owner’s movements over the time period covered by the logs – potentially as long as seven days.
Because Chrome OS keeps the logs in unprotected memory, you can access them without a password. Just opening a Chromebook in guest mode and navigating to a standardized address will result in local storage logs. This displays all the logs for the computer, including those generated outside of guest mode.
Electronic Frontier Foundation researcher Andrés Arrieta confirmed the attack, saying it was particularly concerned about targeted and marginalized communities. While the bug would not be helpful to conventional cybercriminals, it is a potentially devastating privacy issue for those concerned about surveillance by family members or colleagues.
“It’s worrying because anyone with quick physical access to the device could potentially come in as a guest and quickly take some logs and out location details,” Arrieta said. “Security teams should try to better understand the potential consequences of these errors for all users, and include them in their assessment and prioritization of errors.”