Slashdot Mirror
The "Rickmote Controller" Can Hijack Any Google Chromecast
redletterdave writes Dan Petro, a security analyst for the Bishop Fox IT consulting firm, built a proof of concept device that's able to hack into any Google Chromecasts nearby to project Rick Astley's "Never Gonna Give You Up," or any other video a prankster might choose. The "Rickmote," which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. Unfortunately for Google, this is a rather serious issue with the Chromecast device that's not too easy to fix, as the configuration process is an essential part of the Chromecast experience.
Kind of.
Truly we have seen the future: Now you can Rickroll people without any effort on their part. Can't wait to do this on fridge TVs.
Couldn't he have just displayed a Goatse and have been done with it? What he did was in poor taste; don't security researchers have any professionalism any more? Seriously, there should be a law against this sort of thing...
That's right up there with the Windows Explorrer thing that executed arbitrary code from a bitmap file when you visited the directory it lived in. Kudos to Google for keeping up.
Doesn't this first require that you can get into the chromecast's wireless network first?
If you can get on someone's wireless network, there is a lot of things you can do.
Can't this be easily solved by making the process of jumping to a different wireless router in the configuration mode more secure.
After the hacker leaves the range, then the chromecast will not connect to the original network. I don't know if the chormecast installation tool can reconnect to it and reconfigure the network it connects to.
"boots it off the network"
How exactly is that accomplished? I'd assume that anyone inside a network has basically unfettered access to the device, but how would a 'drive by' attacker be able to accomplish this?
Bye!
Article in original content format, without ads: here
My first program:
Hell Segmentation fault
This is a general problem with devices that are "paired". How do you securely establish the initial connection, when neither side knows anything about the other?
The secure solutions involve some shared secret between the two devices. This requires a secure transmission path between the devices, such as typing in a generated key (like a WPA2 key) or physically carrying a crypto key carrier to each device (this is how serious cryptosystems work).
Semi-secure systems involve things like creating a short period of temporary vulnerability (as with Bluetooth pairing). There's a scheme for sharing between cellphones where you bump the phones together, and they both sense the deceleration at close to the same time.
Nowhere in TFA does it say why a Factory Data Reset wont fix that.
Your hair look like poop, Bob! - Wanker.
If the hacker leaves the range of the device, there's no way to regain control of the Chromecast.
Where's the factory-reset button when you need it?
Consumer-electronics that aren't so cheap they are "disposable" should have a "reset to last known good state" hardware button and for some types of devices, a "save current state as known good state" hardware button. If the second button is missing, the "factory fresh state" will forever be the only "last known good state."
The second button is needed for installing "bios-level" anti-theft software and the like that can't be undone by the first button, if the customer wants to make that software non-uninstallable by a security-savvy thief should it be stolen.
For some products, one or both of these buttons may require opening the case and breaking tamper-evident seals, but they should exist, and they should be true hardware buttons, not defeat-able by software.
They need to be hardware buttons so a virus or malware doesn't "press" them, defeating the purpose of being able to "roll back" the machine to a previous state.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Chromecasts have a reset button next to the USB port.
If Google can "remotely configure" your device, then so can someone else if they're determined enough.
Duh.
If you would know anything about cryptography possibilities then you would know that you can exchange data even using unsecured channel... Use standard with asymmetric key encryption. Even simple DiffieÃ"Hellman key exchange solves all your problems.
I was waiting for an ironic "Pepperidge Farm Remembers" ending.
Get free satoshi (Bitcoin) and Dogecoins
Cruisin' down the street
Real slow
While the Chromecasters be yellin'
RICKROLLED!
"Love heals scars love left." -- Henry Rollins
CORL........ NEXT TRACK.
Person with access to your local network can configure network configurable device.
http://www.nzherald.co.nz/entertainment/news/article.cfm?c_id=1501119&objectid=11297251
>built on top of the $35 Raspberry Pi
If it was built around a $200 Dell Laptop with an Intel Atom Processor, would you list all of that, too?
Raspberry Pi fetishists are truly the scum of the earth.
I think I read that in a EULA somewhere....
I'm not sure kids should be exposed to Mario Goatse.
Waiting for the Google Glass version Rickmote. That one has endless possibilities...
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
That's a looped Rickroll. Instead, have this video about music on android.
As if slashdot isn't a privileged white male monoculture either.
Well, a graying white male monoculture at least.
You should check a few social media analysis sites - in fact, most of Slashdot's demographic are from India and Pakistan, under 35 and working in call centers and/or SMM teams.
If it was built around a $200 Dell Laptop with an Intel Atom Processor, would you list all of that, too?
No. And the reason is that a $200 netbook costs a lot more than $35. Part of the perceived embarrassment is how cheap it is to build a rig that remotely 0wns someone's Chromecast device. If mentioning the Raspberry Pi brand is too much of a Slashvertisement to you, would "a $35 single-board computer" sound more honest?
We're gonna shange the world with Sparticus... Sparticus!!!
Find the asshole with the Rickmote and beat the living shit out of him, then break it in two and shove both halves up his ass.
It's his deity. He's dyslexic.
As to whether his deity can copulate or not... well, what happens on Mount Olympus stays on Mount Olympus... except in the case of pregnancies - those are the things of which legends are born.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Comment removed based on user account deletion
unless at least one party knows who it's supposed to be talking to & can independently verify the other party's identity and the integrity of key-exchange traffic supposedly taking place with it,
For short-range communications between devices operated by human beings, this isn't as hard as one might think.
Let's say I want my cell phone to communicate with a kiosk at McDonald's, without having to rely on the phone network to do the authentication.
Behind the counter, McDonalds has a poster-sized, easy-to-photograph representation of the kiosk's public key.
Now to exchange keys, I walk up to the kiosk and press a button. It puts a random picture on the screen. My phone takes a picture of it, combines it with a random picture I create, my public key, and a suggested random private key, then it encrypts it with the kiosk's public key. My phone tells me to turn it towards the kiosks's camera. It displays the random picture the kiosk created for a few seconds, then the random picture I created for a few seconds, then a pictorial representation of my public key for a few seconds, then a pictorial representation of the entire encrypted message for a few seconds. After all of this is done my phone tells me to flip it around again. The kiosk sends me new shared key that is based on the suggested shared key that I sent to it, but this time it is encrypted with my public key.
Now we can talk and I can place my order and provide my credit card information securely.
This all works because I got the Kiosk's public key from a trusted, independent source - the sign behind the counter that some human being put up and which the McDonald's employees would've noticed if it had changed recently (e.g. if a hacker had replaced the real sign with his own fake one and concurrently replaced the kiosk's public key with one he controlled).
By the way, this is a hypothetical example - there are easier ways to buy burgers than to spend half a minute or more playing "can we trust each other" with a kiosk.
Can this method be defeated? Yes - but you defeat it by removing the assumption that the McDonald's employees are paying attention to their surroundings for any suspicious changes and the assumption that the McDonald's employees are loyal enough to their employer to not "look the other way" if they notice a change or worse, collude with each other to BE the "man in the middle." But at this point, it's no different than walking into a bank and dealing with a crooked bank teller.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast."
It will keep playing Never Gonna Give You Up, yes?
I always thought it was kind of idiotic that Google didn't include some kind of screen based authentication, for example displaying a code on the TV screen that you would have to enter into the webapp to complete setup. Thankfully I live out in the sticks and there are maybe two people within range of my WiFi, but in a more urban area this kind of thing could be a little more of an issue. I love my Chromecast, even though there are some bugs that one has to work through with one (Update issues, unsupported apps, buggy apps, etc). Its dirt cheap, it works well, has good resolution & is pretty easy to set up, but Google could have thought a little more about security.
The ultimate trolling (obligatory xkcd) http://xkcd.com/351/
The only place I can see this being relevant is if you brought your Chromecast to a hotel and were on the Hotel's Wifi using your phone/tablet to control the content. Then someone could easily Rick Roll you using this method.
Still, the factory reset button is the answer.... would certainly be funny though.
First: This is awesome. Of course I love this little hack that exploits some pretty serious default misconfguration.
Second: I hate seeing "code" which is really just a 'wrapper' around other tools. This isn't 'Python code' as much as a 'glorified shell script that relies on Linux free tools!".. maybe some attrition for:
airplay-ng
line 138: os.system("aireplay-ng -D -0 0 -a" + network.MAC + " mon0 &")
Linux Wireless Network tools????
line 255: 'iwlist wlan0 scan 2>/dev/null',
Third: It really doesn't matter, because 1) Did I mention this is COOL shit. :-)
KPH
We're gonna shange the world with Sparticus... Sparticus!!!
If my choice was watching The Recruit again or being rickrolled.... I'd take being rickrolled.
The White House takes suggestions, doesn't it? Someone should start a petition to treat Rick Rolling as a capital offense. Oh, and yeah, get OFF MY LAWN!! Damn dumb millennials.
Any guest worker system is indistinguishable from indentured servitude.
Actually, yes, this might be because a Rickfail due to the copyright goons telling YouTube to take down the original RIckroll video.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks