smart devices

Hackers hijack thousands of Chromecasts to warn of latest security bug

Posted by | Amazon, chromecast, computing, echo, Gadgets, Google, Hack, hardware, iPad, media streamer, Security, smart devices, smart home devices, spokesperson, technology, wi-fi | No Comments

Hackers have hijacked thousands of exposed Chromecast streaming devices to warn users of the latest security flaw to affect the device. But other security researchers say that the bug — if left unfixed — could be used for more disruptive attacks.

The culprits, known as Hacker Giraffe and J3ws3r, have become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hackers hijacked forced the affected Chromecasts to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like themselves.

Not one to waste an opportunity, the hackers also asks that you subscribe to PewDiePie, an awful internet person with a popular YouTube following. (He’s the same hacker who tricked thousands of exposed printers into printing support for PewDiePie.)

The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.

As the two say, disabling UPnP should fix the problem.

“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told TechCrunch. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable,” the spokesperson said.

That’s true on one hand, but it doesn’t address the underlying issue — that the Chromecast can be tricked into allowing an unauthenticated attacker the ability to hijack a media stream and display whatever they want.

Hacker Giraffe sent this YouTube video to thousands of exposed Chromecast devices, warning that their streams could be easily hijacked. (Screenshot: TechCrunch)

Bishop Fox, a security consultancy firm, first found a hijack bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.

Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbor’s Chromecasts in just a few minutes.

Ken Munro, who founded Pen Test Partners, says there’s “no surprise that somebody else stumbled on to it,” given both Bishop Fix found it in 2014 and his company tested it in 2016.

“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his, full credit to him for that,” Munro told TechCrunch. (Google said in a follow-up email that it’s working to fix the deauth bug.)

He said the way the attack is conducted is different, but the method of exploitation is the same. CastHack can be exploited over the internet, while Bishop Fox and his “deauth” attacks can be carried out within range of the Wi-Fi network — yet, both attacks let the hacker control what’s displayed on the TV from the Chromecast, he said.

Munro said Google should have fixed its bug in 2014 when it first had the chance.

“Allowing control over a local network without authentication is a really silly idea on [Google’s] part,” he said. “Because users do silly things, like expose their TVs on the internet, and hackers find bugs in services that can be exploited.”

But Munro said that these kinds of attacks — although obnoxious and intrusive on the face of it — could be exploited to have far more malicious consequences.

In a blog post Wednesday, Munro said it was easy to exploit other smart home devices — like an Amazon Echo — by hijacking a Chromecast and forcing it to play commands that are loud enough to be picked up by its microphone. That’s happened before, when smart assistants get confused when they overhear words on the television or radio, and suddenly and without warning purchase items from Amazon. (You can and should turn on a PIN for ordering through Amazon.)

To name a few, Munro said it’s possible to force a Chromecast into loading a YouTube video created by an attacker to trick an Echo to: “Alexa, order an iPad,” or, “Alexa, turn off the house alarm,” or, “Alexa, set an alarm every day at 3am.”

Amazon Echos and other smart devices are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest link are humans. Second to that, it’s the other devices around smart home assistants that pose the biggest risk, said Munro in his blog post. That was demonstrated recently when Canadian security researcher Render Man showed how using a sound transducer against a window can trick a nearby Amazon Echo into unlocking a network-connected smart lock on the front door of a house.

“Google needs to properly fix the Chromecast deauth bug that allows casting of YouTube traffic,” said Munro.

Updated at 9pm ET: with a new, clearer headline to better reflect the flaws over the years, and added additional comment from Google.

Powered by WPeMatico

Everyday home gear made smart

Posted by | Android, Assistant, Belkin, belkin wemo, Bluetooth, Column, electronics manufacturing, Gadgets, Google, Home Automation, iRobot, kwikset, Nest Labs, Roomba, smart devices, smart thermostat, smartphone, Speaker, wi-fi, Wirecutter | No Comments
Makula Dunbar
Contributor

Makula Dunbar is a writer with Wirecutter.

Editor’s note: This post was done in partnership with Wirecutter. When readers choose to buy Wirecutter’s independently chosen editorial picks, Wirecutter and TechCrunch may earn affiliate commissions.

If you only have one smart home device, it’s likely something simple and fun like a voice-controlled speaker or color-changing LED light bulb. As you expand your smart home setup, you can begin to swap out gear that isn’t as flashy but you still use everyday.

Switching to connected locks, power outlets and smoke alarms are all simple installs that can improve your safety and comfort in your own home. We’ve pulled together some of our favorite essentials made smart for anyone looking to upgrade.

Smart lock: Kwikset Kevo Smart Lock 2nd Gen

The Kwikset Kevo Smart Lock 2nd Gen is the most versatile smart lock that we’ve tested. Whether you prefer to use a wireless fob, smartphone app or key, you’ll be able to control the lock with all of them. When we compared it to similar models, the Kevo’s Bluetooth-activated tap-to-unlock mechanism was the easiest to use.

The second generation of the Kevo improved on security and has all-metal internal components for better protection against forced break-in attempts. With the optional Kevo Plus upgrade, you’ll add the ability to control the lock remotely and receive status-monitoring updates.

Photo: Liam McCabe

Robot Vacuum: iRobot Roomba 960

If cleaning is neither your forte or preferred pastime, a robot vacuum will come in handy. Our upgrade pick, the iRobot Roomba 960, is one of the most powerful models that we tested. It can be controlled through the iRobot Home app and uses a bump-and-track navigation system that helps vacuum an entire floor without missing spots.

If its battery is running low during a session, it’ll return to its dock to power up before finishing the job. It’s easy to disassemble for maintenance and is equipped with repairable parts that make it worth its price over some of our less serviceable picks.

Photo: Rachel Cericola

Plug-in Smart Outlet: Belkin Wemo Mini

We tested 26 smart outlet models over more than 45 hours and chose the Belkin Wemo Mini Wi-Fi plug as our top pick. If you’ve ever thought it’d be nice to remotely turn on or off home essentials such as lamps, air conditioners and fans from your smartphone, plugging them into a smart outlet makes it possible.

The Wemo Mini has proven to be reliable throughout long-term testing, it doesn’t block other outlets on the same wall plate and it’s compatible with iOS and Android devices and assistants, including HomeKit/Siri, Alexa and Google Assistant. The interface of the Wemo app is intuitive and easy to use. You can view all of your connected devices on one screen, set powering timers and from anywhere power on or off a device plugged into the Wemo outlet.

Photo: Jennifer Pattison Tuohy

Smart Thermostat: Nest Thermostat E

For a smart thermostat that’s affordable and doesn’t require extensive programming, we recommend the Nest Thermostat E. After about a week, it creates a schedule after learning cooling and heating preferences that you’ve set. It isn’t compatible with as many HVAC systems as similar Nest models, but it’s easy to install and doesn’t lack any features we expect.

It does come with Eco Mode — an energy-saving geofencing feature that detects when your home is empty (or when your smartphone is nowhere near your house). The Nest app uses the same technology to set the thermostat to a preferred temperature when it senses you’re on your way home. If you don’t have your smartphone on hand, you can still operate the Thermostat E by turning its outer ring and pressing selections on its touchscreen.

Photo: Michael Hession

Smart Smoke Alarm: Nest Protect

A smoke alarm is one of the most relied-upon safety devices in every home. Nonetheless, it’s easy to forget to do routine checks to ensure it’s in tip-top shape and functioning properly. With a smart smoke alarm like the Nest Protect, we found that its simple app, self-tests, monthly sound checks and consistent alerts are enough to keep fire safety worries at bay.

It isn’t difficult to install, has a sleek design and integrates with other smart home devices like the Nest Cam (which can record video of a fire) and the Nest Learning Thermostat (which shuts down HVAC systems that may be the cause of a fire). It’s sensitive to fast- and slow-burning fires, plus it monitors homes for both smoke and carbon monoxide.

These picks may have been updated by Wirecutter. When readers choose to buy Wirecutter’s independently chosen editorial picks, Wirecutter and TechCrunch may earn affiliate commissions.

Powered by WPeMatico

Defusing The Internet Of Things Time Bomb

Posted by | Column, cybersecurity, data security, Gadgets, Internet of Things, Online Trust Alliance, smart devices, TC | No Comments

shutterstock_139410728 They’re coming, and we won’t be able to stop them. But will they be friends or foes? What are we talking about? Internet of Things (IoT) devices. And, as with most things, the answer will depend on the details. Gartner predicts there will be approximately 5 billion such devices in use this year, growing to 25 billion (more than half of them consumer-focused) by 2020. Read More

Powered by WPeMatico