Google Patches Chromecast Vulnerabilities Exploited at Hacking Contest

Google recently announced patches for several high- and moderate-severity Chromecast vulnerabilities that were exploited earlier this year at a hacking competition.

Google informed customers about the fixes for the Chromecast flaws last week, when it announced the Android security updates for December. 

The tech giant told users that the latest update for its streaming device addresses a total of three vulnerabilities affecting AMLogic chips, specifically the U-Boot subcomponent, a one issue in KeyChain, specifically in the System component. 

The vulnerabilities were presented in July at the HardPwn USA 2023 hardware hacking competition that took place alongside the Hardwear.io conference in California. Google, Meta and Parrot products were targeted at the event. 

Researchers earned between a few hundred dollars and tens of thousands of dollars for their Chromecast exploits at the event.

Google has credited Nolen Johnson of DirectDefense, Jan Altensen, and Ray Volpe for finding CVE-2023-6181 and CVE-2023-48425; Lennert Wouters, rqu, and Thomas Roth (stacksmashing) for CVE-2023-48424; and Rocco Calvi (TecR0c) and SickCodes for CVE-2023-48417.

DirectDefense last week published a blog post detailing the full Secure Boot exploit chain developed by Johnson, Altensen and Volpe, who have decided not to disclose the exact bug bounty amount. Their exploit cannot be leveraged directly for remote code execution, but it can aid an attacker in obtaining persistent code execution without the victim’s knowledge.

“The biggest concern is supply chain interception on platforms like eBay and other third-party retailers,” Johnson told SecurityWeek. “It has been proven that various Android TV streaming boxes sold through these channels can be injected with malware.”

The researchers described three attack vectors, including eMMC fault injection, which allows access to a U-Boot shell but requires advanced hardware hacking, an Android Verified Boot bypass, and a Bootloader Control Block (BCB) persistence method, which enables a permanent bypass of Secure Boot.

“[The BCB persistence method] is in my opinion the real zinger, as this allows any user with root access to persistently run code in u-boot shell on the next and subsequent boots. Meaning that once you perform the eMMC fault inject once, the device can be persistently hacked without user knowledge. Hence the concern with supply chain attacks,” Johnson explained. “Additionally, this implies that if anyone had ever had the ability to get local root access via an OS level exploit (say malicious app or something), they could write the BCB and effectively hack the device.”

TecR0c and Sick Codes told SecurityWeek that their KeyChain exploit earned them only $500, but noted that their research also unveiled some Android vulnerabilities that are currently being reviewed by Google. 

“This vulnerability can potentially be exploited by any application installed on the same device that has the capability to send Intents. An attacker would first need to create a malicious application and persuade a user to install it. Once the malicious app is installed, it can send crafted Intents to the KeyChainActivity,” the researchers said.

“The attacker will be able to manipulate the behavior of the KeyChainActivity, causing unauthorized operations to be performed,” they added. “Depending on how KeyChainActivity uses these Intent extras, an attacker could potentially gain access to sensitive information such as encryption keys or certificate data, or cause the KeyChainActivity to manipulate such data in a manner beneficial to the attacker. This could potentially allow an attacker to perform actions such as impersonating the user, decrypting sensitive information, or causing denial of service.”

Wouters, rqu, and Roth said their Chromecast exploit earned them a total of more than $68,000. 

“Our attack involves temporary physical access to the device, and so it’s mainly useful for ‘evil-maid’, supply-chain attacks and for recovering data from lost/stolen/discarded devices. It is not particularly difficult to perform, but requires taking apart the device,” the researchers told SecurityWeek. “Using our attack it is possible to permanently compromise a Chromecast by installing a malicious firmware, and to dump the existing sensitive information (such as wifi credentials etc) from the Chromecast. The attack is invisible to the user afterwards and the device remains fully functional.”

They also shared additional technical details, “By corrupting the signals of the integrated flash storage (eMMC) during a specific time in the boot-process we were able to gain access to the interactive console of the integrated bootloader (U-Boot). From there we were able to modify some of the boot arguments that are given to the Linux kernel, which gave us access to a root shell early in the Linux boot process. Using this we were able to overwrite a kernel module which allowed us to execute code with maximum permissions while continuing the regular boot process.”

Leave a Reply

Your email address will not be published. Required fields are marked *