Slashdot Mirror

← Back to Stories (view on slashdot.org)

The "Rickmote Controller" Can Hijack Any Google Chromecast

Posted by samzenpus on from the never-going-to-give-you-up dept.

redletterdave writes Dan Petro, a security analyst for the Bishop Fox IT consulting firm, built a proof of concept device that's able to hack into any Google Chromecasts nearby to project Rick Astley's "Never Gonna Give You Up," or any other video a prankster might choose. The "Rickmote," which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. Unfortunately for Google, this is a rather serious issue with the Chromecast device that's not too easy to fix, as the configuration process is an essential part of the Chromecast experience.

32 of 131 comments (clear)

  1. Maybe it's just me ... by caferace · · Score: 2
    But I find that kind of awesome. :)

    Kind of.

    1. Re:Maybe it's just me ... by caferace · · Score: 2

      There is always a fix. I doubt people are going to be wardriving for Chromecasts. Does it suck from a security standpoint? Yes. But the guys at least have a sense of humour. Better than goatse, right?

    2. Re:Maybe it's just me ... by CanHasDIY · · Score: 4, Funny

      Per TFA - you can totally point it to goatse rather than Rick Astley.

      Although for some people, there's little actionable difference between the two.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    3. Re:Maybe it's just me ... by caferace · · Score: 2

      But think of the children! Oh. Wait. Yeah. They'd be scarred for life either way.

    4. Re:Maybe it's just me ... by 2muchcoffeeman · · Score: 4, Informative

      That's not what it says in the post: "The 'Rickmote,' which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. ... But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast."

      So ... yeah, it's never gonna give you up.

      --
      Prevent Windows piracy. Use Linux instead.
    5. Re:Maybe it's just me ... by Anonymous Coward · · Score: 2, Informative

      I wondering if that part of the article is correct. There is a hard reset button on the chromecast that you can use to force it into initialization mode. I'm wondering if that could be used to gain back control of it.

    6. Re:Maybe it's just me ... by Anonymous Coward · · Score: 5, Funny

      Holy shit! I was pretty surprised to hear about a security hole in Chromecast, but I was really flabbergasted to hear about your DOG THAT CAN FUCKING READ!

    7. Re:Maybe it's just me ... by Altus · · Score: 2

      Once you have set a chrome cast playing some media it is doing it all on its own and it requires commands from another device to get it to stop... or it comes to the end of the media but it could be set up to repeat over and over. If you can't control the chromecast anymore its pretty useless.... I'm guessing there is a way to factory reset the device and start over.

      --

      "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

    8. Re:Maybe it's just me ... by Anonymous Coward · · Score: 5, Informative

      25 seconds of holding a button, and your device is yours again. It's annoying, but it's not like an attacker is stealing your identity and financial information with this.

      https://support.google.com/chr...

      There are two ways to Factory Data Reset (FDR) your Chromecast:
      - Factory Data Reset your Chromecast from the Chromecast app. You will find the option to FDR under ‘Settings’ or ‘Menu’ or
      - Physically hold down the button on your Chromecast for at least 25 seconds or until the solid light begins flashing.

    9. Re:Maybe it's just me ... by profplump · · Score: 2

      But you can just hard-reset the Chromecast and reconfigure it for the network you want it to use. If the article says otherwise it's wrong.
      https://support.google.com/chr...

      To quote the manual:
      "There are two ways to Factory Data Reset (FDR) your Chromecast: Factory Data Reset your Chromecast from the Chromecast app. You will find the option to FDR under ‘Settings’ or ‘Menu’ or Physically hold down the button on your Chromecast for at least 25 seconds or until the solid light begins flashing."

    10. Re:Maybe it's just me ... by JDeane · · Score: 2

      We could combine the two... maybe a Rick Roll Goatse mega combo?

    11. Re:Maybe it's just me ... by viperidaenz · · Score: 4, Informative

      ... there's no way to regain control of the Chromecast unless you RTFM and press the reset button

    12. Re:Maybe it's just me ... by deek · · Score: 5, Funny

      Hence, for the vast majority, there's no way to regain control of the Chromecast.

    13. Re:Maybe it's just me ... by davester666 · · Score: 2

      yes, the reset procedure is to apply a significant amount of force using a blunt object.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. What an awesome security hole! by NoNonAlphaCharsHere · · Score: 4, Funny

    That's right up there with the Windows Explorrer thing that executed arbitrary code from a bitmap file when you visited the directory it lived in. Kudos to Google for keeping up.

  3. Better version of TFA by fph+il+quozientatore · · Score: 5, Informative

    Article in original content format, without ads: here

    --
    My first program:

    Hell Segmentation fault

    1. Re:Better version of TFA by NoNonAlphaCharsHere · · Score: 2, Insightful

      Gosh, I wonder what item on YouTube THAT could point to...

    2. Re:Better version of TFA by paiute · · Score: 2

      Article in original content format, without ads:

      It just isn't the same with a 15 second ad tacked on the front.

      --
      If Slashdot were chemistry it would look like this:Cadaverine
  4. Secure pairing is hard by Animats · · Score: 4, Interesting

    This is a general problem with devices that are "paired". How do you securely establish the initial connection, when neither side knows anything about the other?

    The secure solutions involve some shared secret between the two devices. This requires a secure transmission path between the devices, such as typing in a generated key (like a WPA2 key) or physically carrying a crypto key carrier to each device (this is how serious cryptosystems work).

    Semi-secure systems involve things like creating a short period of temporary vulnerability (as with Bluetooth pairing). There's a scheme for sharing between cellphones where you bump the phones together, and they both sense the deceleration at close to the same time.

    1. Re:Secure pairing is hard by tlhIngan · · Score: 2

      This is a general problem with devices that are "paired". How do you securely establish the initial connection, when neither side knows anything about the other?

      The secure solutions involve some shared secret between the two devices. This requires a secure transmission path between the devices, such as typing in a generated key (like a WPA2 key) or physically carrying a crypto key carrier to each device (this is how serious cryptosystems work).

      Semi-secure systems involve things like creating a short period of temporary vulnerability (as with Bluetooth pairing). There's a scheme for sharing between cellphones where you bump the phones together, and they both sense the deceleration at close to the same time.

      Or, given the nature of the device as it's physical, it can be a sticker on the device itself. Or given that it has to be connected to a TV, the security pairing code can be displayed on the TV as well and the user enters that code in.

      The nature of the Chromecast means there is a secure physical channel to allow such communications to take place.

    2. Re:Secure pairing is hard by Miamicanes · · Score: 3, Insightful

      Canonical Diffie-Hellman is vulnerable to MITM attacks when both parties are mutually-anonymous. There are ways to reduce the risk, but at the end of the day, unless at least one party knows who it's supposed to be talking to & can independently verify the other party's identity and the integrity of key-exchange traffic supposedly taking place with it, you can never know for sure that you aren't having a securely-encrypted conversation with an attacker.

      AFAIK, there's no currently known way to achieve 100% mutually-anonymous key exchange that isn't also vulnerable to MITM. Every few months, someone proposes one, and someone like Schiener usually takes one look at it and casually mentions a half-dozen ways it can be defeated in between sips of coffee.

  5. Nowhere in TFA by OverlordQ · · Score: 3, Insightful

    If the hacker leaves the range of the device, there’s no way to regain control of the Chromecast

    Nowhere in TFA does it say why a Factory Data Reset wont fix that.

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:Nowhere in TFA by rreay · · Score: 2

      Because the summary is wrong. The article says exactly the opposite of the summary. (bold mine)

      But it gets worse for the victims: If the hacker's Rickmote stays within the range of the device, even if you turn the Chromecast off and on again, it will constantly reconnect to the Rickmote â" "thus the Rickroll keeps going indefinitely," Petro told BI.

  6. Re:Doesn't this require access to your network by Anonymous Coward · · Score: 5, Informative

    Quote the article: "When the Chromecast receives the “deauth” command, it returns to its configuration mode, leaving it open for a device — in this case, the Rickmote — to configure it. At that point, the Rickmote tells the Chromecast to connect to its own WiFi network, at which point, Google’s streaming stick is effectively hacked."

    Imagine Dr. Evil making air quotes: "Security."

  7. Where's the factory-reset button? by davidwr · · Score: 2, Interesting

    If the hacker leaves the range of the device, there's no way to regain control of the Chromecast.

    Where's the factory-reset button when you need it?

    Consumer-electronics that aren't so cheap they are "disposable" should have a "reset to last known good state" hardware button and for some types of devices, a "save current state as known good state" hardware button. If the second button is missing, the "factory fresh state" will forever be the only "last known good state."

    The second button is needed for installing "bios-level" anti-theft software and the like that can't be undone by the first button, if the customer wants to make that software non-uninstallable by a security-savvy thief should it be stolen.

    For some products, one or both of these buttons may require opening the case and breaking tamper-evident seals, but they should exist, and they should be true hardware buttons, not defeat-able by software.

    They need to be hardware buttons so a virus or malware doesn't "press" them, defeating the purpose of being able to "roll back" the machine to a previous state.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Where's the factory-reset button? by Anonymous Coward · · Score: 5, Informative

      http://www.tnet.com/products/devices/chromecast/resetbutton

      it does.

    2. Re:Where's the factory-reset button? by Threni · · Score: 5, Informative

      > Where's the factory-reset button when you need it?

      It's on the Chromecast.

      > They need to be hardware buttons

      It's a hardware button.

  8. Re:Doesn't this require access to your network by Xylantiel · · Score: 2

    Seems like this is trivial to fix by requiring a physical button press to return to the configuration mode after the Chromecast is successfully configured onto a wifi network.

  9. Re:Doesn't this require access to your network by m00sh · · Score: 2

    Quote the article: "When the Chromecast receives the “deauth” command, it returns to its configuration mode, leaving it open for a device — in this case, the Rickmote — to configure it. At that point, the Rickmote tells the Chromecast to connect to its own WiFi network, at which point, Google’s streaming stick is effectively hacked."

    Imagine Dr. Evil making air quotes: "Security."

    In order to give the deauth command, you have to be in the same network as the Chromecast.

    So, you can't rick roll a chromecast unless you find a way to get into the network that has the chromecast.

    I can see this being a problem in offices and other places where a large number of people connect to the same wifi hotspot but this is not a problem at home.

    An easier way to rick roll would be to just pull out your youtube app and then start rick roll on the chromecast. This will stop whatever it is playing before and play the rick roll video.

  10. Mario Goatse by tepples · · Score: 2

    I'm not sure kids should be exposed to Mario Goatse.

  11. Anti-glasshole version by Stickerboy · · Score: 4, Interesting

    Waiting for the Google Glass version Rickmote. That one has endless possibilities...

    --
    Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
  12. Re:Pardon for clearification by exomondo · · Score: 2

    "boots it off the network"

    How exactly is that accomplished?

    Through a deauthorization attack