Google fixes three Chromecast device vulnerabilities

Google said it patched three vulnerabilities in a version of its Chromecast media-streaming hardware discovered by security researchers earlier this year.

When chained together, the bugs could allow someone to maliciously install a custom operating system and unsigned code on the Chromecast with Google TV. Patches for the bugs — tagged as CVE-2023-48424, CVE-2023-48425 and CVE-2023-6181 — were published on December 5.

The biggest concern is a tactic called supply chain interception, in which hackers intercept legitimate software updates or packages during the distribution process and replace them with malicious versions, according to Nolen Johnson, hardware and enterprise security consultant at DirectDefense, who was part of the team that discovered the bugs.

Johnson told Recorded Future News that it’s theoretically an issue for those who buy devices on platforms like eBay and other third-party retailers.

“It has been proven that various Android TV streaming boxes sold through these channels can be injected with malware. To safeguard against this, users should purchase from reputable sources,” he said. Chromecast streamers, like much Google-branded hardware, run Android OS.

“Users of the Chromecast can protect themselves by simply updating it via the Settings app,” Johnson said

The chain of exploits DirectDefense found “can be used to install malware/spyware on devices sold to average users for as little as $25,” he explained.

Google confirmed the issues in a statement to Recorded Future News.

"There were no devices impacted by the issue, and it was patched in a recent update," a Google spokesperson said.

Bug bounty paid

The researchers released a detailed overview of the vulnerabilities and provided videos illustrating the attack.

They developed exploits for the vulnerabilities in early 2023 and filed reports to Google in the second quarter of 2023. By June 7, Google acknowledged the issue and awarded the researchers a bug bounty afterward.

Google worked with the researchers to develop fixes throughout the fall before the patch release in early December.

The researchers said they exist on devices featuring the amlogic-based chipset.

With access to the devices, hackers could launch a range of attacks or collect information on targets. Remote controls paired with devices are sometimes equipped with built-in microphones that could be turned on remotely, the researchers said.

They added that with control of the remote, an attacker “could intercept communications by exploiting Bluetooth connectivity.” Hackers could also capture login credentials for applications through keyloggers.

The researchers noted that people now have the option of installing custom operating systems onto Chromecast devices. The concern, according to their findings, is that used devices could come with pre-installed malware or spyware.

“Many TV boxes circulating in these markets have been found to be intentionally pre-infected with malware, as highlighted in various videos that have recently been posted on YouTube,” they said.