A person holding a Google Chromecast remote and pointing it to a TV screen.

We Uncovered a Chain of Chromecast Vulnerabilities – Here’s Why It Matters.

What We Did, and What You Should Know Before Installing a Custom OS

A DirectDefense security researcher, Nolen Johnson, joined two other researchers to exploit three Chromecast vulnerabilities present in the Chromecast with Google TV (CCwGTV) 1080P. 

The team developed a chain of three exploits that ultimately allowed an individual to run a custom OS/unsigned code on the CCwGTV 1080P – and their hard work can now be passed along to you with some helpful information about security risks and proper device customization.

What We Did to Develop the Three Exploits

These exploits can be performed fairly easily despite the challenges the security team faced. You can get the details in the team’s recent white paper, Executing a Chromecast Exploit – Times Three.

However, the bigger picture includes some key takeaways of this work that you should know, whether you are a hobbyist or an average end user.

Pre-Installed Malware

The primary concern for the average end user who doesn’t extensively customize their device lies in potential malware affecting the device. 

There is a particular caution advised when purchasing from third-party resellers such as eBay where products often undergo frequent resale. Many TV boxes circulating in these markets have been intentionally pre-infected with malware. 

Chromecast is still considered a safer choice where security is concerned, as long as you keep in mind that even with devices known to be secure, there are always potential vulnerabilities. Black Hat attackers could use specific setups or exploit previous vulnerabilities to make the device falsely report its security status to you while they are actively eavesdropping on your communications. 

Privacy Risks

The remote controls that come paired with these devices can pose another security risk to communications privacy. 

As these devices are also equipped with a built-in microphone, it creates an opportunity for an attacker to use the remote control to initiate the microphone remotely and exploit Bluetooth connectivity, potentially intercepting communications. 

Additionally, attackers could also capture login credentials for different applications. Keyloggers could record all input, including passwords, and threaten your privacy and security. 

Devices that are at risk of this vulnerability include multiple Nest devices, Google Chromecast, Nest Wi-Fi Pro, and Google Home. These vulnerabilities exist in devices that feature the amlogic-based chipset – which is not expected to be replaced until after December 6, 2023. 

While Google Chromecast was specifically demonstrated by the security research team, other devices with the same chipset might also be vulnerable, although the extent is not fully understood. We do know that the injection vector and the persistence bug apply to all of the above-mentioned devices, as well as smart products with an amlogic chip, such as Android TVs, IP cameras, WIFI APs, routers, smart TVs, automotive components, smart speakers, and more. 

Vulnerabilities Are All Around Us

We surround ourselves with smart, connected devices, and tend to overlook their inherent security vulnerabilities. It’s important to do your homework and select devices with high security ratings; however, knowing even the best security controls can’t protect from every risk, awareness is also impactful. 

Security research teams across the world are helping companies like Google identify vulnerabilities from the perspective of attackers looking for weaknesses, and we consider this to be an important check on security that has beneficial ripple effects for companies and their customers.