Why Google Has Yet to Fix Chromecast Flaw One Year Later
NEWS ANALYSIS: Not all public exploits get patches—and sometimes there are even good reasons why. That's the case with a flaw in Chromecast that was demonstrated at last year's Black Hat security conference.Every summer, the annual Black Hat USA security conference trots out a conga line of security experts, many of them with zero-day exploits in hand. More often than not, those exploits get fixed in a relatively short period of time after the conference ends, but not always. Case in point is a Google Chromecast security vulnerability first publicly demonstrated at the Black Hat USA event last year. Chromecast is Google's popular media streaming device. In the Arsenal tools showcase as part of Black Hat, Dan Petro, security researcher at Bishop Fox, demonstrated a Chromecast hack and tool called the Ricmote. Now a year later, Petro's Chromecast vulnerability remains unpatched and is likely to remain so for a variety of reasons. With his Chromecast hack, Petro publicly demonstrated (see the eWEEK video here) how a small Raspberry Pi ARM computer he dubbed the Ricmote could abuse Chromecast's functionality and send an arbitrary video to a Chromecast user. As part of the Chromecast takeover, Petro's device streamed Rick Astley's "Never Going to Give You Up" music video in an attack known as rickrolling, though Petro noted that any content could be sent. In an interview with Petro ahead of Black Hat 2015, he told eWEEK that from where he sits, it isn't likely that Google will fix the Ricmote vulnerability at all. Petro said there isn't a great way of fixing the flaw without impacting usability in a way that would be unacceptable for how Google wants Chromecast to work.
"It's part of a design choice that Google made, and Chromecast is going to be 'rickrollable' indefinitely into the future," he said.