Forgot your password?
typodupeerror
Google Chrome Security Idle

The "Rickmote Controller" Can Hijack Any Google Chromecast 131

Posted by samzenpus
from the never-going-to-give-you-up dept.
redletterdave writes Dan Petro, a security analyst for the Bishop Fox IT consulting firm, built a proof of concept device that's able to hack into any Google Chromecasts nearby to project Rick Astley's "Never Gonna Give You Up," or any other video a prankster might choose. The "Rickmote," which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. Unfortunately for Google, this is a rather serious issue with the Chromecast device that's not too easy to fix, as the configuration process is an essential part of the Chromecast experience.
This discussion has been archived. No new comments can be posted.

The "Rickmote Controller" Can Hijack Any Google Chromecast

Comments Filter:
  • But I find that kind of awesome. :)

    Kind of.

    • by Isca (550291)
      It's awesome except for the 35 dollars someone is out.

      Hopefully it has a tool in it that deauth's it again when you are done to make it just inconvenient.
      • by caferace (442)
        There is always a fix. I doubt people are going to be wardriving for Chromecasts. Does it suck from a security standpoint? Yes. But the guys at least have a sense of humour. Better than goatse, right?
      • by Guspaz (556486)

        They're not out $35, it's basically a jammer, and only works while in range of the chromecast's wifi.

        A wifi jammer would make the chromecast just as inoperable.

        • by 2muchcoffeeman (573484) on Monday July 21, 2014 @05:09PM (#47503597) Journal

          That's not what it says in the post: "The 'Rickmote,' which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. ... But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast."

          So ... yeah, it's never gonna give you up.

        • Actually, from TFS

          "But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. "

          so no, it doesn't only work while in range of the chromecast's wifi... It bricks the device...

          • Re: (Score:2, Informative)

            by Anonymous Coward

            I wondering if that part of the article is correct. There is a hard reset button on the chromecast that you can use to force it into initialization mode. I'm wondering if that could be used to gain back control of it.

          • I doubt it - I suspect the CC merely has no way to reenter deauth without outside intervention; you'd probably need a non-malicious version of Rickmote to re-deauth it and have it ready to set up again.
        • by gbjbaanb (229885)

          Did you even read the summary?!

          But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast

          • I suspect that the article and summary are inaccurate. There's a factory reset button on the Chromecast, and it from the description of the device, it's just de-authing the CC from the network it's connected to, configuring it to connect to the Pi, and sending a command to display a link. I've used that button to delete the config and set up the CC at a friend's house, and none of the text descriptions on this story make it sound like the Rickmote is doing anything else.
      • by Anonymous Coward
        The story is sort of bullshit though; Chromecasts have a factory reset function. So getting control back is not as simple as fire up Netflix and tell it to cast - but it IS as simple as firing up the Chromecast app itself and resetting the Chromecast and configuring it back to your network. Not that big of a deal really. No, my mom wouldn't get through it until she called me for help first. But my kids would get through it on their own.
  • by tippe (1136385)

    Couldn't he have just displayed a Goatse and have been done with it? What he did was in poor taste; don't security researchers have any professionalism any more? Seriously, there should be a law against this sort of thing... [techsmartly.net]

  • by NoNonAlphaCharsHere (2201864) on Monday July 21, 2014 @05:06PM (#47503567)
    That's right up there with the Windows Explorrer thing that executed arbitrary code from a bitmap file when you visited the directory it lived in. Kudos to Google for keeping up.
  • Doesn't this first require that you can get into the chromecast's wireless network first?

    If you can get on someone's wireless network, there is a lot of things you can do.

    Can't this be easily solved by making the process of jumping to a different wireless router in the configuration mode more secure.

    After the hacker leaves the range, then the chromecast will not connect to the original network. I don't know if the chormecast installation tool can reconnect to it and reconfigure the network it connects

    • by Anonymous Coward on Monday July 21, 2014 @05:15PM (#47503653)

      Quote the article: "When the Chromecast receives the “deauth” command, it returns to its configuration mode, leaving it open for a device — in this case, the Rickmote — to configure it. At that point, the Rickmote tells the Chromecast to connect to its own WiFi network, at which point, Google’s streaming stick is effectively hacked."

      Imagine Dr. Evil making air quotes: "Security."

      • by Xylantiel (177496)
        Seems like this is trivial to fix by requiring a physical button press to return to the configuration mode after the Chromecast is successfully configured onto a wifi network.
        • Hard to add that on all the already sold units...
          • Why? It's a matter of updating the firmware. There already is a physical button on chromecast devices. It's also stated that holding the button down 25 seconds will factory reset a chromecast.
      • by m00sh (2538182)

        Quote the article: "When the Chromecast receives the “deauth” command, it returns to its configuration mode, leaving it open for a device — in this case, the Rickmote — to configure it. At that point, the Rickmote tells the Chromecast to connect to its own WiFi network, at which point, Google’s streaming stick is effectively hacked."

        Imagine Dr. Evil making air quotes: "Security."

        In order to give the deauth command, you have to be in the same network as the Chromecast.

        So, you can't rick roll a chromecast unless you find a way to get into the network that has the chromecast.

        I can see this being a problem in offices and other places where a large number of people connect to the same wifi hotspot but this is not a problem at home.

        An easier way to rick roll would be to just pull out your youtube app and then start rick roll on the chromecast. This will stop whatever it is playing

        • by Anonymous Coward

          You do not have to be on the network to broadcast deauth commands.

  • "boots it off the network"

    How exactly is that accomplished? I'd assume that anyone inside a network has basically unfettered access to the device, but how would a 'drive by' attacker be able to accomplish this?

  • by fph il quozientatore (971015) on Monday July 21, 2014 @05:13PM (#47503631) Homepage
    Article in original content format, without ads: here [youtube.com]
  • by Animats (122034) on Monday July 21, 2014 @05:14PM (#47503637) Homepage

    This is a general problem with devices that are "paired". How do you securely establish the initial connection, when neither side knows anything about the other?

    The secure solutions involve some shared secret between the two devices. This requires a secure transmission path between the devices, such as typing in a generated key (like a WPA2 key) or physically carrying a crypto key carrier to each device (this is how serious cryptosystems work).

    Semi-secure systems involve things like creating a short period of temporary vulnerability (as with Bluetooth pairing). There's a scheme for sharing between cellphones where you bump the phones together, and they both sense the deceleration at close to the same time.

    • by Anonymous Coward

      "The secure solution involve some shared secret between the two devices." You mean like the TV displaying a code and the user entering it on the device he's pairing with?
       
        Of course that's probably incredibly difficult to implement and places such a huge burden on the user. /sarcasim

    • If you would know anything about cryptography possibilities then you would know that you can exchange data even using unsecured channel... Use standard with asymmetric key encryption. Even simple DiffieÃ"Hellman key exchange solves all your problems.
      • How does Diffie-Hellman key exchange provide identification of the other party?
        It allows the exchange of secret data (keys) over an insecure link.
        It is not possible to determine who the other party is. That's where PKI comes in, which doesn't require Diffie-Hellman key exchange at all.

        • by Sloppy (14984)

          How does Diffie-Hellman key exchange provide identification of the other party? .. It is not possible to determine who the other party is

          It's possible. It requires an extra piece beyond the DH, but that extra piece isn't PKI. The user is the trusted introducer. The user looks around and says "Yep, these are the only two devices physically here that I have ordered to peer, right now." They are identified by being in the right place at the right time, triggered by the user saying "Now." That's a pretty g

          • Yes, because a user physically looking around can see all the wifi devices in range.

            Don't know about you but I can't see any electromagnetic radiation below 400THz

      • by Miamicanes (730264) on Monday July 21, 2014 @09:42PM (#47504861)

        Canonical Diffie-Hellman is vulnerable to MITM attacks when both parties are mutually-anonymous. There are ways to reduce the risk, but at the end of the day, unless at least one party knows who it's supposed to be talking to & can independently verify the other party's identity and the integrity of key-exchange traffic supposedly taking place with it, you can never know for sure that you aren't having a securely-encrypted conversation with an attacker.

        AFAIK, there's no currently known way to achieve 100% mutually-anonymous key exchange that isn't also vulnerable to MITM. Every few months, someone proposes one, and someone like Schiener usually takes one look at it and casually mentions a half-dozen ways it can be defeated in between sips of coffee.

        • unless at least one party knows who it's supposed to be talking to & can independently verify the other party's identity and the integrity of key-exchange traffic supposedly taking place with it,

          For short-range communications between devices operated by human beings, this isn't as hard as one might think.

          Let's say I want my cell phone to communicate with a kiosk at McDonald's, without having to rely on the phone network to do the authentication.

          Behind the counter, McDonalds has a poster-sized, easy-to-photograph representation of the kiosk's public key.

          Now to exchange keys, I walk up to the kiosk and press a button. It puts a random picture on the screen. My phone takes a picture of it, combines

    • by tlhIngan (30335)

      This is a general problem with devices that are "paired". How do you securely establish the initial connection, when neither side knows anything about the other?

      The secure solutions involve some shared secret between the two devices. This requires a secure transmission path between the devices, such as typing in a generated key (like a WPA2 key) or physically carrying a crypto key carrier to each device (this is how serious cryptosystems work).

      Semi-secure systems involve things like creating a short period

      • Or given that it has to be connected to a TV, the security pairing code can be displayed on the TV as well and the user enters that code in.

        Anything the Chromecast can connect to is at least 720p - plenty for a QR code with a fairly beefy key.

        • by tepples (727027)
          Good luck taking a picture of a QR code with a desktop computer. A 40-bit key fingerprint using eight base32 characters should be enough for home use.
    • by discord5 (798235)

      This is a general problem with devices that are "paired". How do you securely establish the initial connection, when neither side knows anything about the other?

      The problem isn't the initial connection really. Sure, there's an attack window there, but if it weren't for the actual problem it wouldn't have been as easily exploitable as it appears to be. The problem is that it is trivial once the Chromecast is connected to the WLAN to force it to reconfigure.

      The Youtube video of his presentation [youtube.com] (no transcript, sorry, go listen to it in the background while doing something else) makes it clear that it's trivially simple to get the device looking for a suitable partner

  • Nowhere in TFA (Score:4, Insightful)

    by OverlordQ (264228) on Monday July 21, 2014 @05:15PM (#47503651) Journal

    If the hacker leaves the range of the device, there’s no way to regain control of the Chromecast

    Nowhere in TFA does it say why a Factory Data Reset wont fix that.

    • by Anonymous Coward

      So Rick is only going to give you up after a Factory Data Reset?

      • by rsborg (111459)

        So Rick is only going to give you up after a Factory Data Reset?

        The lyrics take on a whole new meaning with this exploit :)

    • by Anonymous Coward

      It's not really much of a fix if the attacker can just do the same attack again immediately.

      • by davidwr (791652)

        It's not really much of a fix if the attacker can just do the same attack again immediately.

        From TFS:

        If the hacker leaves the range of the device...

    • by rreay (50160)

      Because the summary is wrong. The article says exactly the opposite of the summary. (bold mine)

      But it gets worse for the victims: If the hacker's Rickmote stays within the range of the device, even if you turn the Chromecast off and on again, it will constantly reconnect to the Rickmote â" "thus the Rickroll keeps going indefinitely," Petro told BI.

  • If the hacker leaves the range of the device, there's no way to regain control of the Chromecast.

    Where's the factory-reset button when you need it?

    Consumer-electronics that aren't so cheap they are "disposable" should have a "reset to last known good state" hardware button and for some types of devices, a "save current state as known good state" hardware button. If the second button is missing, the "factory fresh state" will forever be the only "last known good state."

    The second button is needed for installing "bios-level" anti-theft software and the like that can't be undone by the first button, if t

  • If Google can "remotely configure" your device, then so can someone else if they're determined enough.

    Duh.
  • Cruisin' down the street
    Real slow
    While the Chromecasters be yellin'
    RICKROLLED!
  • Person with access to your local network can configure network configurable device.

  • I think I read that in a EULA somewhere....
  • by Stickerboy (61554) on Monday July 21, 2014 @08:52PM (#47504701) Homepage

    Waiting for the Google Glass version Rickmote. That one has endless possibilities...

  • The ultimate trolling (obligatory xkcd) http://xkcd.com/351/ [xkcd.com]
  • First: This is awesome. Of course I love this little hack that exploits some pretty serious default misconfguration.

    Second: I hate seeing "code" which is really just a 'wrapper' around other tools. This isn't 'Python code' as much as a 'glorified shell script that relies on Linux free tools!".. maybe some attrition for:

    airplay-ng

    line 138: os.system("aireplay-ng -D -0 0 -a" + network.MAC + " mon0 &")

    Linux Wireless Network tools????

    line 255: 'iwlist wlan0 scan 2>/dev/null',

    Third: It re

    • by superwiz (655733)
      did you say line 138? And then line 255? That's a LOT for a python script. Sounds like python is doing most of the setup work.
  • The White House takes suggestions, doesn't it? Someone should start a petition to treat Rick Rolling as a capital offense. Oh, and yeah, get OFF MY LAWN!! Damn dumb millennials.

I am the wandering glitch -- catch me if you can.

Working...