Related
"Rickroll Innocent Televisions With This Google Chromecast Hack"
http://www.wired.com/2014/07/rickroll-innocent-televisions-with-this-google-chromecast-hack/
In short the video shows:
- remote device forces disconnect of Chromecast by sending deauth command over WiFi
- Chromecast reverts to Reconnect Me mode with its own WiFi
- remote device connects and takes over Chromecast
But if I'm not mistaken, this won't work without being able to see the access code displayed by the Chromecast on the TV screen, right?
The article also mentions another possible buffer-overrun vulnerability in the DIAL protocol, but I don't see any evidence that this is any more than speculation.
DJames1 said:
"Rickroll Innocent Televisions With This Google Chromecast Hack"
In short the video shows:
- remote device forces disconnect of Chromecast by sending deauth command over WiFi
- Chromecast reverts to Reconnect Me mode with its own WiFi
- remote device connects and takes over Chromecast
But if I'm not mistaken, this won't work without being able to see the access code displayed by the Chromecast on the TV screen, right?
The article also mentions another possible buffer-overrun vulnerability in the DIAL protocol, but I don't see any evidence that this is any more than speculation.
Click to expand...
Click to collapse
Hey! This is Dan, the researcher behind the story. To answer some of your questions:
The "access code" that the Chromecast shows is never actually used to authenticate people on the Wi-Fi. its only purpose is to make sure users don't accidentally connect to their neighbor's chromecast on accident. You can verufy this yourself: If you go into the Chromecast Android app and reconfigure your own Chromecast, you'll see that the app pops up with a message that says "Do you see the code 'X1B8'" (or whatever). You can just say "yes" and ignore it. The user never has to enter and verify the code itself.
As for the buffer overflow, it's true that there's no good evidence of it yet. I just haven't finished exploiting the vulnerability. Until I actually have a working exploit, there's no way to be sure that it really exists. The buffer overflow for sure exists, and it's in a remotely accessible location. But who knows, maybe there's some other wrinkle that keeps it from being exploitable. Exect to see more on that soon.
Hope that helps!
yep that PIN system they have is a pretty useless one considering it is more of a CHECK than a security feature....
If it was like a BT PIN where you had to enter the pin you see on the screen before you could connect it would be a real security system.
I wonder why Google hasn't thought of that,
Yup, any Chromecast is vulnerable to "takeover" whenever it gets disconnected from its configured WiFi AP.
Why? Because its setup mode is completely open and requires no challenge, just a response. It's like if you call a credit card company, put in a number that isn't yours, then the agent comes on the line and asks
"Are you Joe Smith?" [Yes]
"Is your password 'ChocolateMilkGivesMeGas'?" [Yes]
Because a simple reconfiguration does not seem to delete the existing WiFi supplicant data (Google could easily fix this by erasing the stored WiFi credentials once a device connects for setup), if the noted buffer overrun bug or another exploit could gain root, user's WiFi credentials are easily accessed.
Factory reset does delete the stored WiFi credentials, but nobody's going to factory-reset their Chromecast until it's already too late.
This particular issue is an issue for those running rooted Chromecasts, as all the attacker needs is a way in (which includes the Team Eureka Web Panel for those running Eureka-ROM, as the current web panel is not secured).
IMO, Google needs to make the setup more secure - ease of use should never data trump security.
Ah, so it's not an access code, it's just an ID to help you match up the Chromecast the app sees on WiFi with the one you see on the TV screen. That certainly seems insecure, especially since there are so many other devices and apps that link up securely via a very similar-appearing access code.
Maybe Google figures that the vulnerability is not significant if it can only be used for a harmless prank to display a different media stream, and the user could just do a reset to take back control.
DJames1 said:
Maybe Google figures that the vulnerability is not significant if it can only be used for a harmless prank to display a different media stream, and the user could just do a reset to take back control.
Click to expand...
Click to collapse
Yeah, Google seems to think being on the WiFi network is "secure" enough and anything else public/school/hotel is not the place for Chromecast... that logic may work in a single-family living situation, but it definitely does not work in a shared environment, and the fact that it automatically goes into Setup mode when it loses its configured AP is where the risk lies, since someone can reconfigure it to connect to their WiFi network and it still has the original user's AP credentials stored.
Google can lock things down by changing the behavior so either
Clear the stored WiFi credentials when the setup process begins, before Chromecast connects to another network
This wouldn't stop some kind of remote-access exploit that can break in during setup mode, but it does stop any normal-mode exploits.
Require a factory reset to enter Setup mode when Chromecast is configured to connect to a WiFi network.
IMO the second one is more of the expected user behavior - when it arrives it has no credentials stored so it automatically proceeds to setup mode, but once configured it stays configured and requires reset to start configuration again.
Right now it says configured but can be reconfigured - by anyone any time the configured AP goes unavailable.
DJames1 said:
Ah, so it's not an access code, it's just an ID to help you match up the Chromecast the app sees on WiFi with the one you see on the TV screen. That certainly seems insecure, especially since there are so many other devices and apps that link up securely via a very similar-appearing access code.
Maybe Google figures that the vulnerability is not significant if it can only be used for a harmless prank to display a different media stream, and the user could just do a reset to take back control.
Click to expand...
Click to collapse
Yeah if the made the Pin System an integral part of allowing connection then it would be MUCH more secure even if it was in open AP mode because you would still need to be in front of the TV it is plugged into to see the pin!
Odd isn't it how Google seems to have spent so much effort and time into securing what can RUN on the damn device yet took little to no interest in who could connect to it!
The fact that the worst thing possible is a bad Video Picture being displayed I guess they thought it wasn't worth the effort and was maybe too difficult for an idiot to use if it was secure!
Hello!
I'm trying to use Youtube Tv from outside the US.
Worked great until last Saturday when Google somehow implemented location features to the cast devices.
I can still start the app and view stuff on my tablet by spoofing the GPS and it used to be that was enough to be able to start a cast of whatever programming I wanted.
Since the new location feature came in I can't cast anymore, I get a message that the app is not supported in my country.
I figure (without having a way to be sure) that the Chromecast devices (and Nexus Player) now use wifi assisted location to get a position.
I have tried to put the chromecast behind a vpn, then factory defaulting it, then get it directly to exit in Chicago but nothing works, telling me it's likely not an IP or DNS issue.
I obviously have no way to make sure that every wifi access point the Chromecast sees gets registered with a spoofed location.
So I'm at a bit of a loss as to how I'd be able to circumvent this.
I have a Chromecast 1st gen, a Chromecast Ultra and a Nexus Player on Nougat.
Tablet is Nexus 7 (2013) running Pure Nexus Nougat build.
Hey,
So I am having serious wifi issues since I installed my Google Home. I use a chromecast too, but I think it's safe to say that it's the Home device that f-ed up wifi network.
I did read all the articles back i January/February that I was not alone with the issue, and as far as I understand - Google rolled out a fix about a month ago.
However, I am still having issues. My wifi drops for no reason (on all devices at the same time, phones included) for a few seconds and then comes back up. I've tried rebooting the router, and updating firmware on the router but no help. Today I pulled the plug to the Google Home until this has been fully resolved.
I love my Home and would like to have it connected. Did the correction that Google rolled out solve it for everyone else here or does anyone still have issues - or is it just me?
How can I see what firmware/software I am running on the Home? I have obviously tried to ask it, but it responds "this is not supported yet".
Any ideas?
Vol
I had the same problem on my main router, so I tried connecting it to my secondary router, and it worked, but since that one was supposed to be for the other part of the house, I got a cheapest used router I could (doesn't even support n standard) and created a separate network with different SSID, now I use it only to connect google home devices, chromecasts and other smart home wifi devices, and it works (it still uses my main router's DHCP server, and network, it is just AP with a different SSID), oh and I use channel 6 on that router btw.
Volatyle said:
Hey,
So I am having serious wifi issues since I installed my Google Home. I use a chromecast too, but I think it's safe to say that it's the Home device that f-ed up wifi network.
I did read all the articles back i January/February that I was not alone with the issue, and as far as I understand - Google rolled out a fix about a month ago.
However, I am still having issues. My wifi drops for no reason (on all devices at the same time, phones included) for a few seconds and then comes back up. I've tried rebooting the router, and updating firmware on the router but no help. Today I pulled the plug to the Google Home until this has been fully resolved.
I love my Home and would like to have it connected. Did the correction that Google rolled out solve it for everyone else here or does anyone still have issues - or is it just me?
How can I see what firmware/software I am running on the Home? I have obviously tried to ask it, but it responds "this is not supported yet".
Any ideas?
Vol
Click to expand...
Click to collapse
Ok, i feel my networking knowledge can come handy here! Lol. Home,three chromcasts, firetv, firestick x2; Nghthawk x8000->asusrtac68u->lan2wanWNR1000(for old 2nd gen sony bluray dlna and one roomstreaming)+wirelessLinksysEA6350->asusrtac88u. Yes, intriguing network! 6bdrm 3300sqft house. Biggest ever afforded! So, needless to say i pay TWC for 100Mbps, capping at 230mbps on the rtac68u ethernet bridge to wired desktop! All running my own modified compiled tomatousb. Linksysea6350 is ddwrt, kongbuild and a PIA so thats w/e stock kong wanted. Well safe to say ive been at making all this work!! What i need from you is topology and setup, running broadcoms or others? I find broadcom way easier to mess with. Second, you running custom or boxed units? And third is the google products subnetted (more of a b***h if you ask me!) And connected 2.4 or 5? N or AC? And how are you allocating resources? IE using QOS or similar? If you can't answer those im need (if unboxed and freed) "logcats", iptables, etc.. more than safe to say, the home not the culprit in sense to it "drowning" out the wifi band, but could for drown resources, IE low grade hardware, hardware beginning stages of failure and one extra workhorse did it, RAM, eMMC, getting the gist? Im gonna say w/slight certainty you might be rebooting not wifi actually cutting out. You also could if custom firmware corrupted something that the home doesnt like. But wont know w/out the numbers to look at. All i got from you is, either a LAN2LAN or bridge as i read your main hib is the DHCP, and is the SSID you "created" a subnet? And your "30" dollar router also could not be up to task.
And sorry if the reply is anything not right, first post ever here! Years of only reading lol. And something wrong with my cheap phone cracked screen phone replacement everytime keyboard is opened! Doubt its this website. my pixel xl tried to drive on the interstate outside of my car...so sad.. just know im gonna punch this phone or throw from the anger ive gained trying to type and the sign-in to post.. thank you.
Similar solution worked for me
I use a dedicated connection for all things GH related. This stopped the wifi dropout.
I was running a U1 XAA build of Android 10 2.0 with the
June 1 Security patch that I'd downloaded and flashed
from Sammobile.
Awhile ago I downloaded and flashed the U1 XAA 2.1 update from the same place and noticed that there
are a number of apps I can no longer deny Wifi Control
access to under the Apps Special access area:
DeviceTest
DeviceKeystring
FACM
Gear VR Service
Voice wake-up
being 5 out of the 12 I cant deny access to.
Also I am no longer able to disable Google Play Services
whereas before in 2.0 I could. I'm not even allowed to forcestop Play Services now! Its not just these two changes, there are other things I used to be able to disable but now can't. And I have *two* 'SmartThings'
apps, one is version 10.0.37.0 and the other is version
1.7.50-21 (the-21 is just how its listed.)
I know this all sounds somewhat tame and trivial but I would like to know if this is all normal and can be confirmed by anyone else.
Anyone
-----------------
**Update**
Okay, just wanted to post some info on some sort of resolution to the above, mostly for those who make honest and earnest pleas for help and ask really pertinent questions but are ignored by the knowledgable (or criminal)
peruser.
In short, I was hacked. It doesn't come as a surprise (has happened *many* times with my N9. It *does* make me wonder about that supposed military-grade Knox security)
How do you know if you're hacked?? I just used the Running Services lister under Development Tools. Look
for services that shouldn't be running as often as they do
(Last hack they had Samsung Push which is for delivering notifications related to Samsung apps?? running something as a Service (not sure what it was but as soon as I stopped it, it popped right back up) or things you never use or have deactivated showing up in the cache (ESPECIALLY Aircommand!! Disable this as a Trusted Agent immediately! And keep an eye on it, and always keep the Air Remote feature OFF).
Also, the Google Play Store app. When I flashed the July 2020 Security update I noticed the Play Store was still at the May 2020 version update. I didn't think much of it at the time, but after having to Factory Reset I noticed it now read July 1 2020. So I guess the 'worms' have the May version hacked. Sucks that villany loves working for free breaking stuff, but in order to build something up and protect it, it takes toil and coercion.
Finally (Not sure if this is actually a sign of malware or hacking, but the only reference I could find relating to it
was from a guy who was truly beleaguered by hackers)
theres a User Certificate under Biometrics & Security / Other
Security settings / User Certificates that reads as
'FindMyMobile' and purports to being necessary for VPN security and other applications. Well, I had Find My Mobile
deactivated and uninstalled via ADB and it still showed back up after being deleted numerous times and my VPN seems to work without it. It might be for the Note 9's
built-in Knox android VPN strengthening parameters, but I couldn't find nfo online about it anywhere except in the case I mentioned which seems very odd. Qualifying proof of its malicious intent for me?: After factory resetting it hasn't shown back up.
I dont think my N9 is cleaned or I should say I'll never trust a smart phone fully again, not until the outdated and hacked 40 year old SS7 protocol that runs all cellular communications is updated, not until something more reliably secure than 'somewhat' obsfucatingly complex baseband processors are present in phones and maybe something akin to a hardware firewall in the soc that can interpret and filter non-carrier invalid commands (prob only need to update that damn SS7 protocol!) I'd also love it if Google/Alphabet would dump Android and start over with a new updated mobile OS with security at the forefront (Think, updates delivered via 'Middleware', roms bought initially directly from the manufacturer that can be crytographically flashed up to three times with signed updates with each update burned and locked into the rom via fuses. Each factory reset brings you back to your last update. The roms are only updatable if a hardware dip switch is tripped which moves actual physical leads in the soc which powers the ability to flash this chip. And maybe screw AOSP, I wonder if all this open sourceness has actually given the malware creators more knowledge to
finess the software and the hardware. The so-called white-hat 'Ethical Hackers' (LOL! HOW can breaking into someone's personal space without permission outside of national defense be considered ethical?!? All hackers are criminals. If you want to be considered a 'good' hacker (*snort*) bring to light the measly exploits and software, the slime who make and distribute the same and tell how to protect against them and detect them and disable them. Criminals giving webinars and seminars about how to circumvent protections for devices that billions of people rely on for living should be outlawed FULL-STOP-PERIOD I'd rather have one slime who knows how to get into a system than having that slime be allowed to freely distribute the software and knowledge so that millions of other definately less conscionable scum can make use of his knowledge.)
hackers only care about making their fame and fortune by
beinging to light obscure and unknown exploits that no one has ever used or are likely to use than going after to exoloits that *are* in use and *do* affect those in the here and now. It must give some sense of ease not to be in contention with real criminality and the fear of any reprisals from the 'less-ethically saturated' in the tech community.
Just wanted to get that out somewhere. I know its pointless and no-one will listen. Look at what Edward Snowden sacrificed for people who were/are unworthy of *any* sacrifice by betraying everything bit by bit, battle by battle until it must one day be reclaimed (if it can be) via costly confrontation, disruption and perhaps irrevocable critical loss.
Okay, END RANT. Yeah, a slow day, corona cloud and all.
But seriuosly the Feds need to check all this electronic criminality, its gotten waaay out of hand. TO FEDS: Less hunting terrorists, MORE hunting electronic predators and anarchists!
Hi, @tamdwin,
Even though you believe your phone may have been hacked, DeviceKeystring, DeviceTest, EmergencyManagerService, FACM, IMS Service, IOTHiddenMenu, Samsung MirrorLink 1.1, Settings, Setup Wizard, Wi-Fi Direct & WlanTest are enabled on my Note9 with One UI 2.1, Security patch: 1 July 2020 (w/out Google Play Services/Google Play Store, Bixby, GearVR, DeX...only have Google Services Framework installed).
After downloading the 1 July 2020 Security update, I noticed that these services could no longer be turned off for wi-fi control.
Wish I never downloaded the update for the fancy camera features, lol.
Snowden? Have you read any of his articles on smartphone security? (you may want to throw your phone in a blender after reading...)
Some of the settings, such as disabling "Find My Mobile" from running in the background, reset/enable after you restart the phone.
Snowden? Have you read any of his articles on smartphone security? (you may want to throw your phone in a blender after reading...)
But will it blend!
https://www.youtube.com/watch?v=FN9mktgYZJ8
I am worried about these things, so I am looking at developing my own custom ROM.
Sorry for my English I Am brazillian
@P00r ROFL! The Samsung S4 Active shake looks delicious! Thank you for sharing the vid!
silvaBR said:
I am worried about these things, so I am looking at developing my own custom ROM.
Click to expand...
Click to collapse
That sounds like an excellent plan!
Seems like a stupid question, but yes I bought a 2213 EU version, unlocked the bootloader, rooted it the right way, did everything to pass safety net, device is play protect registered, getprop ro.boot.verifiedbootstate returns green, Google Pay works fine after root, DRM Info shows Widevine L1
Netflix won't install (not compatible with device)
HBOMax won't play
Peacock won't install
Hulu won't install
Is this possibly a OnePLus bug on the new NE2213_11_A.15 build, some new rooting thing with Android 12, bad luck, or is there some solution that I need to install?
I may be haded right back to the trusty OnePlus 8 Pro....which has none of these issues and has the Macro Camera which I actually miss....
Thanks in advance for any suggestions....
Also, if anyone in the US needs dual SIM, the EU versions supports all the US bands (and more), is dual SIM, and works flawlessly with T-Mobile...5G, VoWiFi, everything.
Same thing for me, i live in Sweden and we have Cmore & Discovery here that refuse to play after bootloader unlock and root, no magisk hide solution have worked for me. Maybe bootloader unlock with no root works, but cant try because my OP10 is bricked. My old OP9 was working perfect with all the streaming, i now have Xiaomi 12 Pro and was afraid the same thing would happend with this phone, only unlocked bootloader on this phone but no root and everything works 100%, streaming apps, gpay.
It just seems there is something wrong here in the way that OnePlus certified this device. Other Android 12 devices can be rooted without all these issue, right?
Can people US or Chinese / Indian versions get rooted and have access to the Streaming services?
MetroWestMA said:
It just seems there is something wrong here in the way that OnePlus certified this device. Other Android 12 devices can be rooted without all these issue, right?
Can people US or Chinese / Indian versions get rooted and have access to the Streaming services?
Click to expand...
Click to collapse
I have Hulu Disney plus and Netflix working but only play when streamed to my Chromecast. On device play doesn't work and only plays L3 even though device reads L1. Believe it's to deal with bootloader unlock and not root. But others posted that it was a OnePlus issue and was supposed to be resolved but hasn't been.
toolhas4degrees said:
I have Hulu Disney plus and Netflix working but only play when streamed to my Chromecast. On device play doesn't work and only plays L3 even though device reads L1. Believe it's to deal with bootloader unlock and not root. But others posted that it was a OnePlus issue and was supposed to be resolved but hasn't been.
Click to expand...
Click to collapse
It's a issue with this particular Snapdragon chip. The Samsung Galaxy Tab S8 uses the same processor and has the exact same problem.
g96818 said:
It's a issue with this particular Snapdragon chip. The Samsung Galaxy Tab S8 uses the same processor and has the exact same problem.
Click to expand...
Click to collapse
How can it be the chip. It could be the kernel associated didn't have correct commits from snapdragon. But still the drm is in the secure partition on our device that can't be altered also.
toolhas4degrees said:
How can it be the chip. It could be the kernel associated didn't have correct commits from snapdragon. But still the drm is in the secure partition on our device that can't be altered also.
Click to expand...
Click to collapse
Not sure, but that's the only common link between both devices from different manufacturers. They're basically using the same work around we are. I'll be testing it out shortly also since my S8 was just delivered.
It is just fundamentally blocking anything having to do with DRM. You can't even spoof the user agent and watch any streaming service through a browser -- it ask if the browser can play secure content (you say yes) and then gives an error. I am not even that much of a TV / Movie guy, but to be 100% blocked from any streaming just for rooting a device you own????
Pretty F&*^in extreme if you asked me....
The only question is do I wait for someone to hack it (if that's even possible), or do I just go back to my trusty OP 8 Pro and sell this...?
Are there any Android 12 rootable phones that don't have this issue...or is it all Android 12 phones?
MetroWestMA said:
It is just fundamentally blocking anything having to do with DRM. You can't even spoof the user agent and watch any streaming service through a browser -- it ask if the browser can play secure content (you say yes) and then gives an error. I am not even that much of a TV / Movie guy, but to be 100% blocked from any streaming just for rooting a device you own????
Pretty F&*^in extreme if you asked me....
The only question is do I wait for someone to hack it (if that's even possible), or do I just go back to my trusty OP 8 Pro and sell this...?
Are there any Android 12 rootable phones that don't have this issue...or is it all Android 12 phones?
Click to expand...
Click to collapse
i think it's a snapdragon issue rather than software issue.
MetroWestMA said:
Seems like a stupid question, but yes I bought a 2213 EU version, unlocked the bootloader, rooted it the right way, did everything to pass safety net, device is play protect registered, getprop ro.boot.verifiedbootstate returns green, Google Pay works fine after root, DRM Info shows Widevine L1
Netflix won't install (not compatible with device)
HBOMax won't play
Peacock won't install
Hulu won't install
Is this possibly a OnePLus bug on the new NE2213_11_A.15 build, some new rooting thing with Android 12, bad luck, or is there some solution that I need to install?
I may be haded right back to the trusty OnePlus 8 Pro....which has none of these issues and has the Macro Camera which I actually miss....
Thanks in advance for any suggestions....
Also, if anyone in the US needs dual SIM, the EU versions supports all the US bands (and more), is dual SIM, and works flawlessly with T-Mobile...5G, VoWiFi, everything.
Click to expand...
Click to collapse
How did you get widevine L1 after bootloader unlock?
devtherockstar said:
How did you get widevine L1 after bootloader unlock?
Click to expand...
Click to collapse
That's what DRM Info showed.
But for me it's all moot at this point. Yesterday, Google Pay stopped working (some new detection thing I presume), so I attempted to relock the bootloader with
./fastboot flashing lock
at which point the device started going into an infinite power cycle instant reboot no way to get into FASTBOOT, or Recovery or turn off the phone. So I just returning the phone and going back to OnePLus 8 / Android 11 where you can be fully rooted and everything just works.
What a disappointment and waste of time.
Thanks for everyone who offerred suggestions...I'll try back in 6 months or so and see if any of this gets sorted out.
It's not "issues with the chip". Google upped their ante with root detection, which breaks everything from netflix to google pay. See this thread.
I was the OP and had to return my bricked OP10Pro under the 30 day return period.
Anyway, I bought a Google 512GB Pixel 6 Pro used, rooted it, and did the basic stuff I have done since the OP8Pro -- and everything works -- GPay, Netflix, no DRM issues and no hassles.
So maybe it is the chip, but if google had "upped their game" I would think it would be with their own phones especially since the Tensor SOC (co developed with Samsung) has a trusted security module.
As far as the phones go, the Pixel Pro is heavier and the battery charges slower, but you get dual SIM and it works on all USA/Worldside 5G networks and bands. And the cameras are top notch. So kind of a tossup I guess.