Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Chromecast Vulnerabilities Exploited at Hacking Contest

Google has patched several high and moderate-severity Chromecast vulnerabilities demonstrated earlier this year at a hacking competition. 

Chromecast hacking

Google recently announced patches for several high- and moderate-severity Chromecast vulnerabilities that were exploited earlier this year at a hacking competition.

Google informed customers about the fixes for the Chromecast flaws last week, when it announced the Android security updates for December. 

The tech giant told users that the latest update for its streaming device addresses a total of three vulnerabilities affecting AMLogic chips, specifically the U-Boot subcomponent, a one issue in KeyChain, specifically in the System component. 

The vulnerabilities were presented in July at the HardPwn USA 2023 hardware hacking competition that took place alongside the Hardwear.io conference in California. Google, Meta and Parrot products were targeted at the event. 

Researchers earned between a few hundred dollars and tens of thousands of dollars for their Chromecast exploits at the event.

Google has credited Nolen Johnson of DirectDefense, Jan Altensen, and Ray Volpe for finding CVE-2023-6181 and CVE-2023-48425; Lennert Wouters, rqu, and Thomas Roth (stacksmashing) for CVE-2023-48424; and Rocco Calvi (TecR0c) and SickCodes for CVE-2023-48417.

DirectDefense last week published a blog post detailing the full Secure Boot exploit chain developed by Johnson, Altensen and Volpe, who have decided not to disclose the exact bug bounty amount. Their exploit cannot be leveraged directly for remote code execution, but it can aid an attacker in obtaining persistent code execution without the victim’s knowledge.

“The biggest concern is supply chain interception on platforms like eBay and other third-party retailers,” Johnson told SecurityWeek. “It has been proven that various Android TV streaming boxes sold through these channels can be injected with malware.”

Advertisement. Scroll to continue reading.

The researchers described three attack vectors, including eMMC fault injection, which allows access to a U-Boot shell but requires advanced hardware hacking, an Android Verified Boot bypass, and a Bootloader Control Block (BCB) persistence method, which enables a permanent bypass of Secure Boot.

“[The BCB persistence method] is in my opinion the real zinger, as this allows any user with root access to persistently run code in u-boot shell on the next and subsequent boots. Meaning that once you perform the eMMC fault inject once, the device can be persistently hacked without user knowledge. Hence the concern with supply chain attacks,” Johnson explained. “Additionally, this implies that if anyone had ever had the ability to get local root access via an OS level exploit (say malicious app or something), they could write the BCB and effectively hack the device.”

TecR0c and Sick Codes told SecurityWeek that their KeyChain exploit earned them only $500, but noted that their research also unveiled some Android vulnerabilities that are currently being reviewed by Google. 

“This vulnerability can potentially be exploited by any application installed on the same device that has the capability to send Intents. An attacker would first need to create a malicious application and persuade a user to install it. Once the malicious app is installed, it can send crafted Intents to the KeyChainActivity,” the researchers said.

“The attacker will be able to manipulate the behavior of the KeyChainActivity, causing unauthorized operations to be performed,” they added. “Depending on how KeyChainActivity uses these Intent extras, an attacker could potentially gain access to sensitive information such as encryption keys or certificate data, or cause the KeyChainActivity to manipulate such data in a manner beneficial to the attacker. This could potentially allow an attacker to perform actions such as impersonating the user, decrypting sensitive information, or causing denial of service.”

Wouters, rqu, and Roth said their Chromecast exploit earned them a total of more than $68,000. 

“Our attack involves temporary physical access to the device, and so it’s mainly useful for ‘evil-maid’, supply-chain attacks and for recovering data from lost/stolen/discarded devices. It is not particularly difficult to perform, but requires taking apart the device,” the researchers told SecurityWeek. “Using our attack it is possible to permanently compromise a Chromecast by installing a malicious firmware, and to dump the existing sensitive information (such as wifi credentials etc) from the Chromecast. The attack is invisible to the user afterwards and the device remains fully functional.”

They also shared additional technical details, “By corrupting the signals of the integrated flash storage (eMMC) during a specific time in the boot-process we were able to gain access to the interactive console of the integrated bootloader (U-Boot). From there we were able to modify some of the boot arguments that are given to the Linux kernel, which gave us access to a root shell early in the Linux boot process. Using this we were able to overwrite a kernel module which allowed us to execute code with maximum permissions while continuing the regular boot process.”

Related: Hackers Earn Over $1 Million at Pwn2Own Toronto 2023

Related: Google Expands Bug Bounty Program With Chrome, Cloud CTF Events

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.