Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Google Chrome Security Idle

The "Rickmote Controller" Can Hijack Any Google Chromecast 131

Posted by samzenpus from the never-going-to-give-you-up dept.
redletterdave writes Dan Petro, a security analyst for the Bishop Fox IT consulting firm, built a proof of concept device that's able to hack into any Google Chromecasts nearby to project Rick Astley's "Never Gonna Give You Up," or any other video a prankster might choose. The "Rickmote," which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. Unfortunately for Google, this is a rather serious issue with the Chromecast device that's not too easy to fix, as the configuration process is an essential part of the Chromecast experience.
This discussion has been archived. No new comments can be posted.

The "Rickmote Controller" Can Hijack Any Google Chromecast More

The "Rickmote Controller" Can Hijack Any Google Chromecast

Comments Filter:

  • Secure pairing is hard (Score:5, Interesting)

    by Animats ( 122034 ) on Monday July 21, 2014 @05:14PM (#47503637) Homepage

    This is a general problem with devices that are "paired". How do you securely establish the initial connection, when neither side knows anything about the other?

    The secure solutions involve some shared secret between the two devices. This requires a secure transmission path between the devices, such as typing in a generated key (like a WPA2 key) or physically carrying a crypto key carrier to each device (this is how serious cryptosystems work).

    Semi-secure systems involve things like creating a short period of temporary vulnerability (as with Bluetooth pairing). There's a scheme for sharing between cellphones where you bump the phones together, and they both sense the deceleration at close to the same time.

  • Where's the factory-reset button? (Score:2, Interesting)

    by davidwr ( 791652 ) on Monday July 21, 2014 @05:21PM (#47503691) Homepage Journal

    If the hacker leaves the range of the device, there's no way to regain control of the Chromecast.

    Where's the factory-reset button when you need it?

    Consumer-electronics that aren't so cheap they are "disposable" should have a "reset to last known good state" hardware button and for some types of devices, a "save current state as known good state" hardware button. If the second button is missing, the "factory fresh state" will forever be the only "last known good state."

    The second button is needed for installing "bios-level" anti-theft software and the like that can't be undone by the first button, if the customer wants to make that software non-uninstallable by a security-savvy thief should it be stolen.

    For some products, one or both of these buttons may require opening the case and breaking tamper-evident seals, but they should exist, and they should be true hardware buttons, not defeat-able by software.

    They need to be hardware buttons so a virus or malware doesn't "press" them, defeating the purpose of being able to "roll back" the machine to a previous state.

  • Anti-glasshole version (Score:5, Interesting)

    by Stickerboy ( 61554 ) on Monday July 21, 2014 @08:52PM (#47504701) Homepage

    Waiting for the Google Glass version Rickmote. That one has endless possibilities...

Slashdot Top Deals

Happiness is twin floppies.

Close