Wi-Fi security alert on Chromecast as ‘Rickmote’ hijacks nearby boxes

Concern has risen over Google’s popular Chromecast TV streamer’s Wi-Fi security, after a security researcher unveiled a ‘Rickmote’ remote control which hijacks any nearby Chromecast via Wi-Fi (without requiring a password), and plays the timeless internet joke/Eighties pop staple Never Gonna Give You Up by Rick Astley on a loop.

The ‘Rickmote’ device has a large orange button with emblazoned with Rick Astley’s face, and hijacks the popular Google TV dongle via its simplified Wi-Fi connection, according to PC World. The result is a looped video of the popular video, a meme where web users attempted to trick one another into following links containing it.

More details of the hack are to be revealed soon, but its creator says that it could be used for more damaging purposes than tormenting neighbours with Eighties pop.

The gadget is based on the popular Raspberry Pi mini-computer, a hit with DIY computing enthusiasts, and was created by security researcher Dan Petro of the consultancy Bishop Fox.

Wi-Fi security hack explained

Petro wrote in a blog post this week, “How is it possible to hijack unsuspecting Chromecast users’ TVs, turning their “Game of Thrones” marathon into a 1980s flashback? The Rickmote accomplishes this by briefly disconnecting nearby Chromecasts from their Wi-Fi.”

“When this loss of connectivity occurs, the Chromecast tries to reconfigure and accepts commands from anyone within proximity. The Rickmote automatically provides this configuration in the form of everyone’s favorite Rick Astley song on loop.”

Rickmote – passwords at risk?

The hack takes around 30 seconds, but all Chromecasts within Wi-Fi range are vulnerable, and users could in theory play any video, not just the traditional Never Gonna Give You Up, according to a report in Wired.

Petro says that he discovered a further bug in Chromecast which may make it possible for an attacker to extract a home’s Wi-Fi password – potentially a much more serious Wi-Fi security concern.

“This is actually a really hard problem, and it’s not clear that it’s ever going to get fixed,” Petro said.

Google has provided no comment on the issue at time of writing. Further video evidence is available via this link.

Petro is due to disclose further details of the hack, and the device at Black Hat Tools Arsenal USA on August 6, where he promises to show off a step-by-step guide to turning a Raspberry Pi into an automated Chromecast hacker which rickrolls all boxes within Wi-Fi range.

Author , We Live Security

Follow us

Copyright © 2017 ESET, All Rights Reserved.