Connect with us

Gadgets

Google sat on a Chromecast bug for years, now hackers could wreak havoc – TechCrunch

Published

on

Google was warned of a bug in its Chromecast media streaming stick years ago, but did not fix it. Now, hackers are exploiting the bug — and security researchers say things could get even worse.

A hacker, known as Hacker Giraffe, has become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hacker hijacked thousands of Chromecasts, forcing them to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like himself.

Not one to waste an opportunity, the hacker also asks that you subscribe to PewDiePie, an awful internet person with a popular YouTube following. (He’s the same hacker who tricked thousands of exposed printers into printing support for PewDiePie.)

The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.

As Hacker Giraffe says, disabling UPnP should fix the problem.

“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told TechCrunch. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable,” the spokesperson said.

That’s true on one hand, but it doesn’t address the years-old bug that gives anyone with access to a Chromecast the ability to hijack the media stream and display whatever they want, because Chromecast doesn’t check to see if someone is authorized to change the video stream.

Hacker Giraffe sent this YouTube video to thousands of exposed Chromecast devices, warning that their streams could be easily hijacked. (Screenshot: TechCrunch)

Bishop Fox, a security consultancy firm, first found the bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.

Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbor’s Chromecasts in just a few minutes.

Ken Munro, who founded Pen Test Partners, says there’s “no surprise that somebody else stumbled on to it,” given both Bishop Fix found it in 2014 and his company tested it in 2016.

“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his, full credit to him for that,” Munro told TechCrunch. (Google said in a follow-up email that it’s working to fix the deauth bug.)

He said the way the attack is conducted is different, but the method of exploitation is the same. CastHack can be exploited over the internet, while Bishop Fox and his “deauth” attacks can be carried out within range of the Wi-Fi network — yet, both attacks let the hacker control what’s displayed on the TV from the Chromecast, he said.

Munro said Google should have fixed its bug in 2014 when it first had the chance.

“Allowing control over a local network without authentication is a really silly idea on [Google’s] part,” he said. “Because users do silly things, like expose their TVs on the internet, and hackers find bugs in services that can be exploited.”

Hacker Giraffe is the latest to resort to “Good Samaritan security,” by warning users of the issues and providing advice on how to fix them before malicious hackers take over, where tech companies and device makers have largely failed.

But Munro said that these kinds of attacks — although obnoxious and intrusive on the face of it — could be exploited to have far more malicious consequences.

In a blog post Wednesday, Munro said it was easy to exploit other smart home devices — like an Amazon Echo — by hijacking a Chromecast and forcing it to play commands that are loud enough to be picked up by its microphone. That’s happened before, when smart assistants get confused when they overhear words on the television or radio, and suddenly and without warning purchase items from Amazon. (You can and should turn on a PIN for ordering through Amazon.)

To name a few, Munro said it’s possible to force a Chromecast into loading a YouTube video created by an attacker to trick an Echo to: “Alexa, order an iPad,” or, “Alexa, turn off the house alarm,” or, “Alexa, set an alarm every day at 3am.”

Amazon Echos and other smart devices are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest link are humans. Second to that, it’s the other devices around smart home assistants that pose the biggest risk, said Munro in his blog post. That was demonstrated recently when Canadian security researcher Render Man showed how using a sound transducer against a window can trick a nearby Amazon Echo into unlocking a network-connected smart lock on the front door of a house.

“Google needs to properly fix the Chromecast deauth bug that allows casting of YouTube traffic,” said Munro.



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Gadgets

The 5 Best Black Friday Apple Deals: MacBooks, AirPods, Apple Watch, iPad, and More.

Published

on

Andrew Cunningham

Black Friday is in full swing, and that’s great news if you’ve had your eyes on an Apple device but have been waiting for a solid discount to pull the trigger. Apple devices are notoriously expensive, and you typically don’t see many discounts throughout the year. Fortunately, Black Friday brings notable Apple deals not only from retailers, but Apple itself. Just as we do every year, we’re cutting through the noise to bring you the best Black Friday Apple deals we can find.

Below are a few of the most worthwhile Apple deals we’re seeing as of this writing. As always, we’re focusing on products we’d actually recommend based on our time reviewing them and excluding any we don’t think are worth your money. Lastly: there haven’t been any huge iPhone deals we think are worth your time, so the focus here is on other products.

Ars Technica may earn compensation for sales from links on this post through affiliate programs.

More Black Friday 2022 Coverage

The 2022 iPad Air.
Enlarge / The 2022 iPad Air.

Samuel Axon

Apple iPad Air 2022 10.9-inch for $500 ($560) at Amazon (discount at checkout)

Also at Apple for $680 with a $50 Apple gift card

These days, it’s not hard to make the case that Apple makes <em>too</em><em> many</em> iPad models. The lineup has gotten convoluted and confusing, and some models offer better value than others. Fortunately, if you can afford it, there’s one clear recommendation for the significant majority of would-be tablet owners: the iPad Air.

The iPad Pro’s 120Hz display, Face ID authentication, and other bells and whistles are all nice-to-haves, but they’re not essential. And on the other end of the lineup, the new 2022 iPad sacrifices a bit too much compared to the Air, given the price difference.

The Air doesn’t skimp on anything essential: it has the fast M1 chip, second-generation Apple Pencil support, a great screen, and strong accessory support. It’s currently on sale at Amazon for $500 ($60 off typical street price), but Apple’s also offering it for full retail at $680 with a $50 Apple gift card incentive.

For scale, here are the brick and cable next to the laptop.
Enlarge / For scale, here are the brick and cable next to the laptop.

Samuel Axon

MacBook Air 2022 for $1,050 ($1,200) at Amazon

The Mac has been through many permutations (and ups and downs) over the years, but the recent transition away from Intel processors to Apple’s own custom-designed silicon has made clear that this is as good a time to go Mac as any there ever was.

While many of Apple’s Macs (like the MacBook Pro or the Mac Studio) are specialized products for certain audiences, the 2022 MacBook Air is the Mac that makes the most sense for the most people. Its M2 processor is frankly faster than most desktop processors, and a recent redesign modernized a classic laptop—even if it did so at the cost of some its unique identity.

You can buy the Air at a $150 discount from Amazon ($1,050 for 256GB or $1,350 for 512GB) or you can buy it directly from Apple and get a $150 gift card.

If you need more power or a bigger screen, check out our Best Black Friday Laptop Deals post, where we have discounts on the well-equipped, multi-port-toting 14-inch MacBook Pro on sale for $1,600 ($400 off) and the most powerful Apple laptop, the 16-inch MacBook Pro for $2,000 ($500 off).

Jeff Dunn

Apple AirPods Pro (second generation) for $249 with a $75 Apple gift card from Apple

Also at Amazon for $199 and first generation for $159 at Walmart

AirPods are more convenient than any other wireless headphones we’ve used, they offer essential features like spatial audio and transparency mode, and the sound quality isn’t generally too bad for the price, either. You can absolutely find other headphones that beat any of Apple’s comparably priced AirPods models in either sound quality or noise cancellation (though you’d be hard pressed to find anything that’s as easy to use wirelessly) but as a complete package, let’s just say that AirPods are wildly popular for a reason. Just don’t bother if you don’t have an Apple device to pair them with.

The best AirPods for most people are the AirPods Pro; they strike a perfect balance between price and performance. Both the first- and second-generation AirPods Pro are on sale right now. While both deals offer solid value, the second-generation is an objectively better pair of headphones in all relevant ways, as you might expect. If you can find use for a $75 Apple gift card, then we’d recommend grabbing Apple’s deal for the second-gen AirPods Pro.

Noise cancellation is improved, as is spatial audio performance, lending to a more immersive sound experience. The second-gen also improves listening time from four and a half hours on the first-gen to six on the latest-gen, while adding goodies like a MagSafe charging case with a built-in speaker and chip for new Find My capabilities, in case your AirPods ever go missing. The first-generation AirPods still sound very good, and noise cancelation is on the higher end of the spectrum compared to most earbuds. So, again, if you have no uses for a $75 Apple gift card, we can’t fault you for saving a few bucks and getting the first-generation Pros instead.

The Apple TV 4K with Apple's improved Siri Remote.
Enlarge / The Apple TV 4K with Apple’s improved Siri Remote.

Jeff Dunn

Apple TV 4K 2021 64GB for $100 ($130) at Amazon

Apple TV HD 2021 32GB $59 ($99) at Walmart

Apple just recently released a new revision of its Apple TV 4K streaming box, but it wasn’t a huge upgrade over the prior model unless you are using a TV that only supports HDR10+ instead of Dolby Vision. With the new one on the market, though, last year’s mostly-the-same model is steeply discounted, making it the best deal out there for a streaming TV platform. As always, its appeal compared to offerings from Roku and others is lessened if you’re not already living in Apple’s ecosystem, but if you have an iPhone or AirPods, the current discount is a steal.

If you don’t need 4K quality, the Apple TV HD is also on steep discount for the lowest price we’ve ever seen on a new Apple TV at $69.

The Apple Watch SE.
Enlarge / The Apple Watch SE.

Samuel Axon

Apple Watch SE second generation (40 mm) for $229 ($270) Amazon

Apple offers a plethora of Watch models now, including the new flashy, outdoorsy Apple Watch Ultra. But truth be told, the entry-level Apple Watch SE (available at 40mm or 44mm) includes most of the features most people would care to have. We’re not knocking the Series 8 or the Ultra—they have a lot to offer. If you want the most health-feature heavy device, the Apple Watch Series 8 is the way to go, and it’s on sale for $350 ($50 off) right now. But if you’re just looking for something to help you track your workouts and stay connected, the SE will do the job for a lot less money.

Continue Reading

Gadgets

14 Best Black Friday Laptop Deals: Apple MacBooks, Microsoft Surface, Dell, HP, And More

Published

on

Enlarge / Microsoft’s Surface Pro 8.

Andrew Cunningham

Black Friday laptop deals are as American as pumpkin pie. But tracking down worthwhile options can be tricky. Each model has variants, each of those variants have configurations with too many sound-alike model numbers (thank you, Intel), and many of the model names are unmemorable names.

We spend a lot of time looking at laptops and writing about them at Ars, so we’ve gone through the deals and highlighted the most noteworthy options, based on the laptops we’ve reviewed and know. Here are some laptop computer deals we think are worth knowing about.

Ars Technica may earn compensation for sales from links on this post through affiliate programs.

The 2022 MacBook Air.
Enlarge / The 2022 MacBook Air.

Samuel Axon

MacBook Air 2022 for $1,050 ($1,200) at Amazon

It’s not a mandatory upgrade over its M1-based predecessor, but the M2-powered MacBook Air is the best laptop for most kinds of Mac users. Thanks Apple’s impressive M2 processor, this entry-level model can do a lot with just 8GB of RAM, though the 256GB storage might push storage-hungry types to the Pro (also on sale right now).

Best Buy has a matching deal on the same model, and Apple’s offering a $150 gift card if you buy the newest MacBook Air at their store. You can also nab a 512GB MacBook Air for $1,299 at Best Buy and $1,499 at Apple (with the $150 gift card).

Two 2021 MacBook Pro models side-by-side.
Enlarge / Two 2021 MacBook Pro models side-by-side.

Samuel Axon

14-inch MacBook Pro 2021 for $1,600 ($2,000) at Amazon

The 2021 MacBook Pro is the hardware hard fork we’d been waiting for, a return to usable ports, reasonable keyboards, and function keys, largely powered by the advent of Apple’s own silicon. Ars’ Samuel Axon dubbed it “the best laptop money can buy for many use cases, provided you have a lot of money.” For a brief period, it’s a good bit less money at Amazon. A 14-inch model with an M1 Pro chip, 16GB RAM, and 512GB storage is $1,599 ($400 off). The same deal is available at Best Buy.

Want two more CPU and GPU cores each and twice the storage? That model’s currently on sale for $2,000 at Amazon, down $500 off the typical price. A 2022 model, with a slightly faster M2 chip and 8GB RAM, is $1,350 at Amazon ($150 off). Apple isn’t offering a discount, but buying a MacBook Pro qualifies you for an Apple gift card worth up to a $250.

16-inch MacBook Pro 2021 for $2,000 ($2,500) at Amazon

Everything about the 14-inch MacBook Pro applies to the 16-inch model—just with a bigger screen, and a price to match. This week, Amazon has a model with 16GB memory, 512GB storage, and a 16-core M1 Pro processor for $2,000 ($500 off). Best Buy has the same deal.

If you want the most powerful Apple laptop, a model with a 32-core M1 Max chip, 32GB RAM, and 1TB storage is $3,049 at Best Buy, $450 less than retail. Or you can pay full retail price through Apple and get a $250 gift card.

Microsoft's Surface Pro 9.
Enlarge / Microsoft’s Surface Pro 9.

Andrew Cunningham

Surface Pro 9 with keyboard cover for $1,100 ($1,300) at Costco

If you want a Windows device that can be both a tablet and laptop, the Surface Pro 9 is the best to do that job, after more than nine hardware revisions and spin-offs. The crisp 13-inch screen, 12th-generation U-series Intel processor, and the nice feel of the keyboard cover (included with this deal) keep the Surface as the archetype of the portable-but-still-type-friendly laptop computer.

It’s pretty hard to beat this keyboard-included deal on a brand-new device. But if you’re not a Costco member, Best Buy offers the same model Surface Pro 9, sans keyboard, for $1,000 ($100 off) and an upgraded i7/16GB model for $1,400 ($200 off). Amazon also has an i7/16GB model with 256GB storage for $1,349, about $250 off retail.

Surface Pro 8 with keyboard cover for $900 ($1,350) at Best Buy

Not a whole bunch changed between the Surface Pro 8 and 9, minus a processor upgrade. If you’re looking for a more affordable entry point into Microsoft’s hybrid, we liked the Pro 8 one year ago, and it’s still a worthy purchase, especially at this discount with a keyboard cover included. Best Buy has the i5 8GB RAM 256GB storage model on sale for $900 with a graphite-colored keyboard cover and 15 months of Microsoft 365 to sweeten the deal.

The Surface Laptop Go 2.
Enlarge / The Surface Laptop Go 2.

Andrew Cunningham

Surface Laptop Go 2 for $600 ($700) at Best Buy

One of the biggest problems we had with the Surface Laptop Go 2 was that its base model with 4GB RAM isn’t useful for anybody. The other was that the $700 model, with 8GB RAM and 128GB storage, cost too much. But as we noted in our review, “if you can find it on sale … the Laptop Go 2 is a no-fuss budget laptop that’s worth considering if you can live with its flaws.”

Well, here you go. The 8GB RAM, 128GB model is on sale for $600 at Best Buy ($100 off). If you need a portable mouse to go with it, and like the idea of a 3-year protection plan, Microsoft is offering all that for the price of $655.

That's not just a spacious deck; it's a massive touchpad.
Enlarge / That’s not just a spacious deck; it’s a massive touchpad.

Scharon Harding

Dell XPS 13 Plus for $1,500 ($1,850) at Best Buy

This revamped version of Dell’s long-running ultrabook series made “wild design choices” to support a more powerful 12th-generation Intel CPU. If the most important thing for you in a laptop is performance, this laptop can really cook, and it looks and feels slim and classy. But it gets hot, its keys are tightly spaced, and its port selection is limited.

Best Buy has three variants of the XPS 13 Plus on sale: one with 32 GB RAM and 1 TB SSD for $1,700 ($400 off), 16GB RAM and 512GB SSD (as we reviewed) for $1,500 ($350 off), and if you want to sacrifice an OLED display, an FHD+ model for $1,350 ($300 off).

HP's 13.5-inch Spectre x360.
Enlarge / HP’s 13.5-inch Spectre x360.

Scharon Harding

HP Spectre x360 13.5” for $900 ($1,250) at HP

The 13.5-inch Spectre x360 has “a little something for almost everyone,” we wrote in August. It “gets an A+ in looks and scores high (but not perfectly) in design details.” It wasn’t top of its class when compared to other ultralights in its price range, but at this price the Spectre is earning better grades against the curve.

HP has a model with an i5-1235U processor, 8GB RAM, 512GB NVMe SSD, and a 1920×1280 IPS screen for $900 ($350 off). You can tweak some of those elements, including doubling the RAM for just $60 more, at HP’s site.

System76 Lemur Pro.
Enlarge / System76 Lemur Pro.

System76 Lemur Pro 14-inch for $1,150 ($1,200 at System76

Linux-focused laptop vendors don’t bust out huge sales around Black Friday, or generally much at all. They’ve got other things to focus on than container-ship-scale volume. So when System76 knocks $50 off its redesigned 14” Lemur Pro, the one with the touted 14-hour battery life, it’s worth taking note. You can choose between Pop! OS and Ubuntu 22.04 pre-installed, a whole lot of storage and RAM options, and certain configurations will get free shipping.

Other laptop deals we like

  • Microsoft Surface Laptop 4 15-inch laptop PC (2496×1664, Core i7-1185G7, 32GB RAM, 1TB SSD) for $1,900 ($2,400) at Amazon
  • Samsung Galaxy Chromebook 2 13.3” (1920×1080, Core i3-10110U, 8GB RAM, 128GB SSD) for $549 ($699) at Best Buy
  • Microsoft Surface Laptop 5 from $899 up to $300 off at Microsoft
  • Microsoft Surface Laptop Studio from $1,400 up to $400 off at Microsoft
  • Lenovo IdeaPad Flex 5i 13-inch Chromebook ‎(1920×1080, Intel Core i3-1115G4, 8GB RAM, 128GB SSD) for $300 ($420) at Amazon

Listing image by Samuel Axon

Continue Reading

Gadgets

Windows Subsystem for Linux with GUI apps launches for Windows 10

Published

on

Enlarge / The latest Microsoft Store version of the Windows Subsystem for Linux allows for graphical apps, systemd support, multiple distributions, and a lot of questions about whether you have three different options enabled on your Windows 10 system.

Kevin Purdy

The Windows Subsystem for Linux (WSL), one of the best reasons to run Windows 11, is now available to Windows 10 users, in the latest version and with all its features. WSL dropped its “preview” label with this 1.0 release, and aims to simplify its installation from here on out.

Getting the best version of WSL used to mean installing big, system-level Windows updates (including 11 itself). As part of its broader moving of key apps into its Store, Microsoft now offers the most feature-rich version of WSL there. “The in-Windows version of WSL will still receive critical bug fixes, but the Store version of WSL is where new features and functionality will be added,” Windows Developer Platform Program Manager Craig Loewen noted in a blog post.

Loewen noted that the “WSL community’s requests” drove Microsoft to make the latest, GUI-ready framework version available to Windows 10 users. Now a Store installation is the default, even if you use the command line (PowerShell) to install and update WSL. Now anyone whose system is capable of running WSL has access to graphical apps and (optional) systemd support, and can hopefully spend less time wondering which WSL version they have, what they need, and what the differences are.

And yet even Microsoft understands this leaves a lot of versions of WSL in existence. There’s WSL 1 and WSL 2, and Linux distributions for both of them. There’s the in-Windows version of WSL—enabled as an “optional component” in Windows—and the Store version. This update, Loewen writes, should “simplify our versioning story.” WSL 2 is the default distro version and Store install. It’s how you run Linux with direct integration into Windows.

I got the Store version of WSL running on my Windows 10 desktop, but only after five restarts and quite a bit of support forum wandering. This might have been due to having previously tinkered with WSL on the system.

I installed every system update waiting for me, but that wasn’t the cause of the “incompatible version” errors I was receiving. I visited “Turn Windows features on or off” from the Start menu (separate from “Manage optional features”) multiple times to check and ensure that “Virtual Machine Platform,” “Windows Hypervisor Platform,” and “Windows Subsystem for Linux” were all enabled. I checked my BIOS for hypervisor support (enabled), double-checked that I had WSL 2 set as my default (it was), and installed Ubuntu two or three times from the command line until it actually happened.

Once installed, it was rather impressive to have Linux apps up and running in Windows (even if they complained quite a bit about various dependencies and warnings). For someone who needs that one specific utility not offered on Windows, or is just Linux-curious without wanting to go the full partition-and-dual-boot route, it should be an easier on-ramp now that it’s in the Microsoft Store.

Listing image by Microsoft

Continue Reading

Trending