Connect with us

Gadgets

Google sat on a Chromecast bug for years, now hackers could wreak havoc – TechCrunch

Published

on

Google was warned of a bug in its Chromecast media streaming stick years ago, but did not fix it. Now, hackers are exploiting the bug — and security researchers say things could get even worse.

A hacker, known as Hacker Giraffe, has become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hacker hijacked thousands of Chromecasts, forcing them to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like himself.

Not one to waste an opportunity, the hacker also asks that you subscribe to PewDiePie, an awful internet person with a popular YouTube following. (He’s the same hacker who tricked thousands of exposed printers into printing support for PewDiePie.)

The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.

As Hacker Giraffe says, disabling UPnP should fix the problem.

“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told TechCrunch. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable,” the spokesperson said.

That’s true on one hand, but it doesn’t address the years-old bug that gives anyone with access to a Chromecast the ability to hijack the media stream and display whatever they want, because Chromecast doesn’t check to see if someone is authorized to change the video stream.

Hacker Giraffe sent this YouTube video to thousands of exposed Chromecast devices, warning that their streams could be easily hijacked. (Screenshot: TechCrunch)

Bishop Fox, a security consultancy firm, first found the bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.

Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbor’s Chromecasts in just a few minutes.

Ken Munro, who founded Pen Test Partners, says there’s “no surprise that somebody else stumbled on to it,” given both Bishop Fix found it in 2014 and his company tested it in 2016.

“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his, full credit to him for that,” Munro told TechCrunch. (Google said in a follow-up email that it’s working to fix the deauth bug.)

He said the way the attack is conducted is different, but the method of exploitation is the same. CastHack can be exploited over the internet, while Bishop Fox and his “deauth” attacks can be carried out within range of the Wi-Fi network — yet, both attacks let the hacker control what’s displayed on the TV from the Chromecast, he said.

Munro said Google should have fixed its bug in 2014 when it first had the chance.

“Allowing control over a local network without authentication is a really silly idea on [Google’s] part,” he said. “Because users do silly things, like expose their TVs on the internet, and hackers find bugs in services that can be exploited.”

Hacker Giraffe is the latest to resort to “Good Samaritan security,” by warning users of the issues and providing advice on how to fix them before malicious hackers take over, where tech companies and device makers have largely failed.

But Munro said that these kinds of attacks — although obnoxious and intrusive on the face of it — could be exploited to have far more malicious consequences.

In a blog post Wednesday, Munro said it was easy to exploit other smart home devices — like an Amazon Echo — by hijacking a Chromecast and forcing it to play commands that are loud enough to be picked up by its microphone. That’s happened before, when smart assistants get confused when they overhear words on the television or radio, and suddenly and without warning purchase items from Amazon. (You can and should turn on a PIN for ordering through Amazon.)

To name a few, Munro said it’s possible to force a Chromecast into loading a YouTube video created by an attacker to trick an Echo to: “Alexa, order an iPad,” or, “Alexa, turn off the house alarm,” or, “Alexa, set an alarm every day at 3am.”

Amazon Echos and other smart devices are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest link are humans. Second to that, it’s the other devices around smart home assistants that pose the biggest risk, said Munro in his blog post. That was demonstrated recently when Canadian security researcher Render Man showed how using a sound transducer against a window can trick a nearby Amazon Echo into unlocking a network-connected smart lock on the front door of a house.

“Google needs to properly fix the Chromecast deauth bug that allows casting of YouTube traffic,” said Munro.



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Gadgets

Google loses two execs: one for Messaging and Workspace, another for Payments

Published

on

Google had a pair of high-ranking executives leave this week. The first was Bill Ready, Google’s “President of Commerce, Payments & Next Billion Users,” who left to become CEO of Pinterest. The second big departure is Javier Soltero, who was vice president and GM of Google Workspace, Google’s paid business app, and was the leader of Google Messaging. Both executives made big changes to Google in their nearly three-year stints at the company. Now that they are leaving, it’s unclear what the future of their respective products holds.

Ready was only at Google for two-and-a-half years, where his highest-profile move was presiding over the disastrous rollout of a significant Google Pay revamp. The new Google Pay app was spearheaded by Ready’s payments team, led by another recently ousted executive, Caesar Sengupta. The Google Pay revamp brought an app originally developed for India to the US, where the requirement for phone number-based identity came with a huge list of downgrades: The Google Pay website had to be stripped of payment functionality, the app no longer supported multiple accounts, and you couldn’t be logged in to multiple devices.

The rollout of the new app was also clumsy. Slowly, over a month or two, users were kicked out of the old Google Pay and had to transition to a new app. The new identity system wasn’t backward compatible with the old Google Pay, though, which meant users still on the old app couldn’t send money to users on the new app.

According to Pulse network (a wing of Discover card) Google Pay has 3 percent of the entire US NFC market. Keep in mind Google entered this market years before Apple.

According to Pulse network (a wing of Discover card) Google Pay has 3 percent of the entire US NFC market. Keep in mind Google entered this market years before Apple.

The new Google Pay was announced one year into Ready’s tenure at Google and launched in March 2021. The app initially came with big plans for expansion, including a wild announcement of Google-branded bank accounts. Sengupta left Google one month after the US launch of the new Google Pay, which triggered an “exodus” of employees, according to Insider. The report said, “Dozens of employees and executives” left the payments team after Sengupta’s departure, with one employee saying there was “frustration” the new Google Pay “wasn’t growing at the rate we wanted it to.”

What happened afterward seems like a complete scrapping of the original “New Google Pay” game plan. Google generally launches a product in the US first and then slowly rolls it out to the rest of the world, but after the initial poor reception, the new Google Pay never saw a wide rollout outside of the US. Google canceled its heavily promoted plans for a Google bank account, even though, according to the Wall Street Journal, the company already had 400,000 curious users sign up for the public waitlist.

Ready appointed a new leader of Payments this January, a move Bloomberg described as a “reset” of Google’s payments strategy. Ready also made headlines at the time by saying, “Crypto is something we pay a lot of attention to,” though no Google product has emerged.

Four months later, at Google I/O 2022, another revamp of Google Pay was announced, re-branding the product to “Google Wallet.” That’s right, after a big revamp of Google’s payment app in 2021, there’s now another new revamp in 2022. Ready is now leaving five months after appointing a new Payments lead and setting these plans in motion, but he won’t be around for the launch of Google Wallet. Between the departure of old Payments lead Sengupta, Sengupta’s boss, Ready, and “dozens” of team members, it sure seems like the payments team ended up cleaning house.

This nightmare of a map has the US with Google Pay and Google Wallet co-existing, while the rest of the world gets a cleaner solution of one payment app: Wallet.

This nightmare of a map has the US with Google Pay and Google Wallet co-existing, while the rest of the world gets a cleaner solution of one payment app: Wallet.

Google

At the heart of Google’s payments turbulence is probably the fact that most estimates put Google Pay at 3-4 percent of the US NFC payments market, which is way behind Apple’s nearly 92 percent market share. It’s an embarrassing loss considering Google was a pioneer in NFC payments and entered the market three years before Apple.

A big part of Google’s payment problems is this kind of instability, with Google’s payment app running through four different brands in 10 years (Google Wallet, then Android Pay, then Google Pay, now Google Wallet again). It still doesn’t seem like the company has arrived at a great solution with the new Google Wallet. The current plan—which could change once Ready’s replacement is hired—is for Google Wallet and Google Pay to co-exist in the US. In the rest of the world, there will be one payment app, Wallet, which sounds like a clean, reasonable offering. In the US and Singapore, though, Google doesn’t want to kill the widely panned new Google Pay app, so Google Wallet and Google Pay will be available. Why? If Wallet is rolling out to the rest of the world, the codebase clearly has the full payment feature set, why not just roll it out everywhere?

Google is still searching for a VP to replace Bill Ready, but the interim Payments president will be longtime Googler Nick Fox. Fox was previously front and center in the Google tech landscape as the head of Google messaging when the company produced Google Allo. Allo was Google’s main messaging app from 2016-2018, lasting about 576 days on the market. Since Allo, Fox has been running Google Search.

Continue Reading

Gadgets

Forget smart glasses, this smart contact lens prototype has a new vision for AR 

Published

on

Enlarge / Smart contact lenses don’t work quite this easily yet. (credit: Getty)

Since 2015, a California-based company called Mojo Vision has been developing smart contact lenses. Like smart glasses, the idea is to put helpful AR graphics in front of your eyes to help accomplish daily tasks. Now, a functioning prototype brings us closer to seeing a final product.

In a blog post this week, Drew Perkins, the CEO of Mojo Vision, said he was the first to have an “on-eye demonstration of a feature-complete augmented reality smart contact lens.” In an interview with CNET, he said he’s been wearing only one contact at a time for hour-long durations. Eventually, Mojo Vision would like users to be able to wear two Mojo Lens simultaneously and create 3D visual overlays, the publication said.

According to his blog, the CEO could see a compass through the contact and an on-screen teleprompter with a quote written on it. He also recalled viewing a green, monochromatic image of Albert Einstein to CNET.

Read 10 remaining paragraphs | Comments

Continue Reading

Gadgets

Some Macs are getting fewer updates than they used to. Here’s why it’s a problem

Published

on

Aurich Lawson

When macOS Ventura was announced earlier this month, its system requirements were considerably stricter than those for macOS Monterey, which was released just eight months ago as of this writing. Ventura requires a Mac made in 2017 or later, dropping support for a wide range of Monterey-supported Mac models released between 2013 and 2016.

This certainly seems more aggressive than new macOS releases from just a few years ago, where system requirements would tighten roughly every other year or so. But how bad is it, really? Is a Mac purchased in 2016 getting fewer updates than one bought in 2012 or 2008 or 1999? And if so, is there an explanation beyond Apple’s desire for more users to move to shiny new Apple Silicon Macs?

Using data from Apple’s website and EveryMac.com, we pulled together information on more than two decades of Mac releases—almost everything Apple has released between the original iMac in late 1998 and the last Intel Macs in 2020. We recorded when each model was released, when Apple stopped selling each model, the last officially supported macOS release for each system, and the dates when those versions of macOS received their last point updates (i.e. 10.4.11, 11.6) and their last regular security patches. (I’ve made some notes on how I chose to streamline and organize the data, which I’ve put at the end of this article).

The end result is a spreadsheet full of dozens of Macs, with multiple metrics for determining how long each one received official software support from Apple. These methods included measuring the amount of time between when each model was discontinued and when it stopped receiving updates, which is particularly relevant for models like the 2013 Mac Pro, 2014 Mac mini, and 2015 MacBook Air that were sold for multiple years after they were first introduced.

Continue Reading

Trending