The "Rickmote Controller" Can Hijack Any Google Chromecast 131
redletterdave writes Dan Petro, a security analyst for the Bishop Fox IT consulting firm, built a proof of concept device that's able to hack into any Google Chromecasts nearby to project Rick Astley's "Never Gonna Give You Up," or any other video a prankster might choose. The "Rickmote," which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. Unfortunately for Google, this is a rather serious issue with the Chromecast device that's not too easy to fix, as the configuration process is an essential part of the Chromecast experience.
Maybe it's just me ... (Score:2)
Kind of.
Re: (Score:2)
Hopefully it has a tool in it that deauth's it again when you are done to make it just inconvenient.
Re: (Score:2)
Re:Maybe it's just me ... (Score:5, Funny)
Per TFA - you can totally point it to goatse rather than Rick Astley.
Although for some people, there's little actionable difference between the two.
Re: (Score:2)
Re: (Score:3)
We could combine the two... maybe a Rick Roll Goatse mega combo?
Re: (Score:1)
Mario Goatse (Score:3)
Re: (Score:2)
Re: (Score:1)
They're not out $35, it's basically a jammer, and only works while in range of the chromecast's wifi.
A wifi jammer would make the chromecast just as inoperable.
Re:Maybe it's just me ... (Score:5, Informative)
That's not what it says in the post: "The 'Rickmote,' which is built on top of the $35 Raspberry Pi single board computer, finds a local Chromecast device, boots it off the network, and then takes over the screen with multimedia of one's choosing. ... But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast."
So ... yeah, it's never gonna give you up.
Re: (Score:3)
Once you have set a chrome cast playing some media it is doing it all on its own and it requires commands from another device to get it to stop... or it comes to the end of the media but it could be set up to repeat over and over. If you can't control the chromecast anymore its pretty useless.... I'm guessing there is a way to factory reset the device and start over.
Re: (Score:2)
yes, the reset procedure is to apply a significant amount of force using a blunt object.
Re:Maybe it's just me ... (Score:5, Informative)
25 seconds of holding a button, and your device is yours again. It's annoying, but it's not like an attacker is stealing your identity and financial information with this.
https://support.google.com/chr... [google.com]
Re:Maybe it's just me ... (Score:5, Informative)
... there's no way to regain control of the Chromecast unless you RTFM and press the reset button
Re:Maybe it's just me ... (Score:5, Funny)
Hence, for the vast majority, there's no way to regain control of the Chromecast.
Re: (Score:1)
Actually, from TFS
"But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast. "
so no, it doesn't only work while in range of the chromecast's wifi... It bricks the device...
Re: (Score:2, Informative)
I wondering if that part of the article is correct. There is a hard reset button on the chromecast that you can use to force it into initialization mode. I'm wondering if that could be used to gain back control of it.
Re: (Score:2)
Re:Maybe it's just me ... (Score:5, Funny)
It's not his canine that can read (Score:1)
It's his deity. He's dyslexic.
As to whether his deity can copulate or not... well, what happens on Mount Olympus stays on Mount Olympus... except in the case of pregnancies - those are the things of which legends are born.
Re: (Score:2)
Did you even read the summary?!
But it gets worse for the victims: If the hacker leaves the range of the device, there's no way to regain control of the Chromecast
Re: (Score:2)
Re: (Score:3)
But you can just hard-reset the Chromecast and reconfigure it for the network you want it to use. If the article says otherwise it's wrong.
https://support.google.com/chr... [google.com]
To quote the manual:
"There are two ways to Factory Data Reset (FDR) your Chromecast: Factory Data Reset your Chromecast from the Chromecast app. You will find the option to FDR under ‘Settings’ or ‘Menu’ or Physically hold down the button on your Chromecast for at least 25 seconds or until the solid light begins fl
Re: (Score:1)
Re: (Score:2)
I was waiting for an ironic "Pepperidge Farm Remembers" ending.
Goatse (Score:2)
Couldn't he have just displayed a Goatse and have been done with it? What he did was in poor taste; don't security researchers have any professionalism any more? Seriously, there should be a law against this sort of thing... [techsmartly.net]
Re: (Score:1)
With most web-email showing previews of enclosed links, it's much harder to accomplish the rolling of Rick via email. This guy deserves our praise for seeking out creative alternatives.
Re: (Score:2)
I just get a message saying "You've been rickrolled! EPIC EPIC EPIC" followed by "This plugin is disabled"
Rickfail?
Original Rickroll YouTube is now disabled (Score:2)
Actually, yes, this might be because a Rickfail due to the copyright goons telling YouTube to take down the original RIckroll video.
Re: (Score:2)
Actually, no, this is because I have disabled the Flash plugin, hence "This plugin is disabled"
What an awesome security hole! (Score:5, Funny)
Doesn't this require access to your network (Score:1)
Doesn't this first require that you can get into the chromecast's wireless network first?
If you can get on someone's wireless network, there is a lot of things you can do.
Can't this be easily solved by making the process of jumping to a different wireless router in the configuration mode more secure.
After the hacker leaves the range, then the chromecast will not connect to the original network. I don't know if the chormecast installation tool can reconnect to it and reconfigure the network it connects
Re:Doesn't this require access to your network (Score:5, Informative)
Quote the article: "When the Chromecast receives the “deauth” command, it returns to its configuration mode, leaving it open for a device — in this case, the Rickmote — to configure it. At that point, the Rickmote tells the Chromecast to connect to its own WiFi network, at which point, Google’s streaming stick is effectively hacked."
Imagine Dr. Evil making air quotes: "Security."
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Quote the article: "When the Chromecast receives the “deauth” command, it returns to its configuration mode, leaving it open for a device — in this case, the Rickmote — to configure it. At that point, the Rickmote tells the Chromecast to connect to its own WiFi network, at which point, Google’s streaming stick is effectively hacked."
Imagine Dr. Evil making air quotes: "Security."
In order to give the deauth command, you have to be in the same network as the Chromecast.
So, you can't rick roll a chromecast unless you find a way to get into the network that has the chromecast.
I can see this being a problem in offices and other places where a large number of people connect to the same wifi hotspot but this is not a problem at home.
An easier way to rick roll would be to just pull out your youtube app and then start rick roll on the chromecast. This will stop whatever it is playing
Re: (Score:1)
You do not have to be on the network to broadcast deauth commands.
Re: (Score:1)
wtf are you talking about? at what point did you get the impression that you have to be on the network?
The process is to use a deauth attack (you don't have to be on the network to do that) to knock the chromecast off the network at which point you can connect to the chromecast's own wifi network that is used for setup and take control of it.
Pardon for clearification (Score:1)
"boots it off the network"
How exactly is that accomplished? I'd assume that anyone inside a network has basically unfettered access to the device, but how would a 'drive by' attacker be able to accomplish this?
Re: (Score:2)
With a Pringles can.
Re: (Score:2)
Re: (Score:3)
"boots it off the network"
How exactly is that accomplished?
Through a deauthorization attack [ultimatepeter.com]
Better version of TFA (Score:5, Informative)
Re: (Score:3, Insightful)
BROWqjuTM0g is a Rickroll. This isn't. (Score:2)
Re: (Score:1)
It has been modded informative. Therefore, it must be safe to . . . Noooooooooooooooooooooooooooooooooooooooooooooooooooooo!
Re: (Score:3)
Article in original content format, without ads:
It just isn't the same with a 15 second ad tacked on the front.
Secure pairing is hard (Score:5, Interesting)
This is a general problem with devices that are "paired". How do you securely establish the initial connection, when neither side knows anything about the other?
The secure solutions involve some shared secret between the two devices. This requires a secure transmission path between the devices, such as typing in a generated key (like a WPA2 key) or physically carrying a crypto key carrier to each device (this is how serious cryptosystems work).
Semi-secure systems involve things like creating a short period of temporary vulnerability (as with Bluetooth pairing). There's a scheme for sharing between cellphones where you bump the phones together, and they both sense the deceleration at close to the same time.
Re: (Score:1)
"The secure solution involve some shared secret between the two devices." You mean like the TV displaying a code and the user entering it on the device he's pairing with?
/sarcasim
Of course that's probably incredibly difficult to implement and places such a huge burden on the user.
Secure pairing is hard (Score:1)
Re: (Score:2)
How does Diffie-Hellman key exchange provide identification of the other party?
It allows the exchange of secret data (keys) over an insecure link.
It is not possible to determine who the other party is. That's where PKI comes in, which doesn't require Diffie-Hellman key exchange at all.
Re: (Score:2)
It's possible. It requires an extra piece beyond the DH, but that extra piece isn't PKI. The user is the trusted introducer. The user looks around and says "Yep, these are the only two devices physically here that I have ordered to peer, right now." They are identified by being in the right place at the right time, triggered by the user saying "Now." That's a pretty g
Re: (Score:2)
Yes, because a user physically looking around can see all the wifi devices in range.
Don't know about you but I can't see any electromagnetic radiation below 400THz
Re:Secure pairing is hard (Score:4, Insightful)
Canonical Diffie-Hellman is vulnerable to MITM attacks when both parties are mutually-anonymous. There are ways to reduce the risk, but at the end of the day, unless at least one party knows who it's supposed to be talking to & can independently verify the other party's identity and the integrity of key-exchange traffic supposedly taking place with it, you can never know for sure that you aren't having a securely-encrypted conversation with an attacker.
AFAIK, there's no currently known way to achieve 100% mutually-anonymous key exchange that isn't also vulnerable to MITM. Every few months, someone proposes one, and someone like Schiener usually takes one look at it and casually mentions a half-dozen ways it can be defeated in between sips of coffee.
or not ... Re:Secure pairing is hard (Score:1)
unless at least one party knows who it's supposed to be talking to & can independently verify the other party's identity and the integrity of key-exchange traffic supposedly taking place with it,
For short-range communications between devices operated by human beings, this isn't as hard as one might think.
Let's say I want my cell phone to communicate with a kiosk at McDonald's, without having to rely on the phone network to do the authentication.
Behind the counter, McDonalds has a poster-sized, easy-to-photograph representation of the kiosk's public key.
Now to exchange keys, I walk up to the kiosk and press a button. It puts a random picture on the screen. My phone takes a picture of it, combines
Re: (Score:3)
Re: (Score:2)
Or given that it has to be connected to a TV, the security pairing code can be displayed on the TV as well and the user enters that code in.
Anything the Chromecast can connect to is at least 720p - plenty for a QR code with a fairly beefy key.
Re: (Score:2)
Re: (Score:2)
This is a general problem with devices that are "paired". How do you securely establish the initial connection, when neither side knows anything about the other?
The problem isn't the initial connection really. Sure, there's an attack window there, but if it weren't for the actual problem it wouldn't have been as easily exploitable as it appears to be. The problem is that it is trivial once the Chromecast is connected to the WLAN to force it to reconfigure.
The Youtube video of his presentation [youtube.com] (no transcript, sorry, go listen to it in the background while doing something else) makes it clear that it's trivially simple to get the device looking for a suitable partner
Nowhere in TFA (Score:4, Insightful)
Nowhere in TFA does it say why a Factory Data Reset wont fix that.
Re: (Score:1)
So Rick is only going to give you up after a Factory Data Reset?
Re: (Score:2)
So Rick is only going to give you up after a Factory Data Reset?
The lyrics take on a whole new meaning with this exploit :)
Re: (Score:1)
It's not really much of a fix if the attacker can just do the same attack again immediately.
Re: (Score:1)
It's not really much of a fix if the attacker can just do the same attack again immediately.
From TFS:
If the hacker leaves the range of the device...
Re: (Score:3)
Because the summary is wrong. The article says exactly the opposite of the summary. (bold mine)
Re: (Score:2, Informative)
http://allaboutchromecast.com/chromecast-how-to-guide/reset-chromecast-factory-data-reset-fdr/ [allaboutchromecast.com]
Where's the factory-reset button? (Score:2, Interesting)
If the hacker leaves the range of the device, there's no way to regain control of the Chromecast.
Where's the factory-reset button when you need it?
Consumer-electronics that aren't so cheap they are "disposable" should have a "reset to last known good state" hardware button and for some types of devices, a "save current state as known good state" hardware button. If the second button is missing, the "factory fresh state" will forever be the only "last known good state."
The second button is needed for installing "bios-level" anti-theft software and the like that can't be undone by the first button, if t
Re:Where's the factory-reset button? (Score:5, Informative)
http://www.tnet.com/products/devices/chromecast/resetbutton
it does.
Re: (Score:1)
Please forgive me for taking the article summary at face value when it said
If the hacker leaves the range of the device, there's no way to regain control of the Chromecast.
The only way that could be true is if there was no properly functioning hardware reset button.
I've been around /. awhile, I really should know better than to assume article summaries are accurate.
Re:Where's the factory-reset button? (Score:5, Informative)
> Where's the factory-reset button when you need it?
It's on the Chromecast.
> They need to be hardware buttons
It's a hardware button.
Note to Google Users: (Score:2, Insightful)
Duh.
Re: (Score:2)
sure, if you care that much about taking over the raspberry pi of the attacker..
Wardriving + Rickmoting = ?? (Score:2)
Real slow
While the Chromecasters be yellin'
RICKROLLED!
News just in (Score:2)
Person with access to your local network can configure network configurable device.
Google is eternally "Beta" by default (Score:2)
Anti-glasshole version (Score:5, Interesting)
Waiting for the Google Glass version Rickmote. That one has endless possibilities...
Finally this can be achieved easily (Score:1)
"Python Code" (Score:1)
First: This is awesome. Of course I love this little hack that exploits some pretty serious default misconfguration.
Second: I hate seeing "code" which is really just a 'wrapper' around other tools. This isn't 'Python code' as much as a 'glorified shell script that relies on Linux free tools!".. maybe some attrition for:
airplay-ng
line 138: os.system("aireplay-ng -D -0 0 -a" + network.MAC + " mon0 &")
Linux Wireless Network tools????
line 255: 'iwlist wlan0 scan 2>/dev/null',
Third: It re
Re: (Score:1)
somebody should start a petition (Score:1)
The point is the 35 USD (Score:2)
If it was built around a $200 Dell Laptop with an Intel Atom Processor, would you list all of that, too?
No. And the reason is that a $200 netbook costs a lot more than $35. Part of the perceived embarrassment is how cheap it is to build a rig that remotely 0wns someone's Chromecast device. If mentioning the Raspberry Pi brand is too much of a Slashvertisement to you, would "a $35 single-board computer" sound more honest?