Turns out people are upgrading their iPhones less frequently. That’s not good for Apple’s revenue—but it’s great for everyone else.
The FCC has remained open while much of the government is shut down. That changes Thursday.
To offset the phase-out of a federal tax credit, Tesla cut the price of its cars by $2,000—which might be better for some buyers.
Hackers have hijacked thousands of exposed Chromecast streaming devices to warn users of the latest security flaw to affect the device. But other security researchers say that the bug — if left unfixed — could be used for more disruptive attacks.
The culprits, known as Hacker Giraffe and J3ws3r, have become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hackers hijacked forced the affected Chromecasts to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like themselves.
Not one to waste an opportunity, the hackers also asks that you subscribe to PewDiePie, an awful internet person with a popular YouTube following. (He’s the same hacker who tricked thousands of exposed printers into printing support for PewDiePie.)
The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.
As the two say, disabling UPnP should fix the problem.
“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told TechCrunch. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable,” the spokesperson said.
That’s true on one hand, but it doesn’t address the underlying issue — that the Chromecast can be tricked into allowing an unauthenticated attacker the ability to hijack a media stream and display whatever they want.
Bishop Fox, a security consultancy firm, first found a hijack bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.
Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbor’s Chromecasts in just a few minutes.
Ken Munro, who founded Pen Test Partners, says there’s “no surprise that somebody else stumbled on to it,” given both Bishop Fix found it in 2014 and his company tested it in 2016.
“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his, full credit to him for that,” Munro told TechCrunch. (Google said in a follow-up email that it’s working to fix the deauth bug.)
He said the way the attack is conducted is different, but the method of exploitation is the same. CastHack can be exploited over the internet, while Bishop Fox and his “deauth” attacks can be carried out within range of the Wi-Fi network — yet, both attacks let the hacker control what’s displayed on the TV from the Chromecast, he said.
Munro said Google should have fixed its bug in 2014 when it first had the chance.
“Allowing control over a local network without authentication is a really silly idea on [Google’s] part,” he said. “Because users do silly things, like expose their TVs on the internet, and hackers find bugs in services that can be exploited.”
But Munro said that these kinds of attacks — although obnoxious and intrusive on the face of it — could be exploited to have far more malicious consequences.
In a blog post Wednesday, Munro said it was easy to exploit other smart home devices — like an Amazon Echo — by hijacking a Chromecast and forcing it to play commands that are loud enough to be picked up by its microphone. That’s happened before, when smart assistants get confused when they overhear words on the television or radio, and suddenly and without warning purchase items from Amazon. (You can and should turn on a PIN for ordering through Amazon.)
To name a few, Munro said it’s possible to force a Chromecast into loading a YouTube video created by an attacker to trick an Echo to: “Alexa, order an iPad,” or, “Alexa, turn off the house alarm,” or, “Alexa, set an alarm every day at 3am.”
Amazon Echos and other smart devices are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest link are humans. Second to that, it’s the other devices around smart home assistants that pose the biggest risk, said Munro in his blog post. That was demonstrated recently when Canadian security researcher Render Man showed how using a sound transducer against a window can trick a nearby Amazon Echo into unlocking a network-connected smart lock on the front door of a house.
“Google needs to properly fix the Chromecast deauth bug that allows casting of YouTube traffic,” said Munro.
Updated at 9pm ET: with a new, clearer headline to better reflect the flaws over the years, and added additional comment from Google.
It’s on like Donkey Kong! We’ll be seeing you next week, on January 9, 2019 at 6:00 PM, where we’ll mingle and run a full TC pitch-off with a bunch of great hardware companies. I’ve added 40 extra tickets, so hurry!
The event will be held at Work In Progress, 317 South 6th Street. Special thanks to those amazing folks who opened their doors to us during one of the busiest weeks in LV.
I’ve contacted the companies that will be pitching. If anyone drops out, I’ll choose some more, so there is still a chance to pitch.
See you soon!
Thunderbird, Mozilla’s desktop email client, doesn’t have anywhere near the amount of mindshare of the organization’s Firefox browser, yet even in this age of web-based email services, it still has a sizable user community. For 2019, those users can look forward to a faster and more beautiful application, Thunderbird community manager Ryan Sipes announced today.
Only a few years ago, Mozilla’s relationship with Thunderbird looked rather rocky. Back in 2015, the organization decided to decouple Thunderbird’s technical infrastructure from Firefox’s and look for other organizations that would like to invest in it. In the end, though, Mozilla decided to keep Thunderbird in-house and not move it to another organization and continue to support the project. That gave Thunderbird some much-needed stability and, as Sipes announced today, there are now eight full-time staffers who work on the project, with plans for hiring six more soon.
For 2019, the expanded team promises to make the application run faster and address performance issues — and to rewrite some parts of the client in an effort to build a multi-process version that can make better use of modern processors (it’s worth noting that Firefox went through a similar rewrite).
At the same time, Thunderbird will also get a few user interface updates, better notifications and, maybe even more importantly, better Gmail support. The current Gmail setup procedure isn’t actually all that complicated, but once you do have Thunderbird set up to work with your Gmail account, you don’t get access to many of Gmail’s proprietary features. To work around some of this, the Thunderbird team will soon offer better label support, for example.
The Roku Channel will be available to stream from within the Roku app, and will add paid subscription options like Showtime.