5,597,198 Members 43,413 Now Online
XDA Developers Android and Mobile Development Forum

Rooted Chromecast with Web Panel = Problems with security

Tip us?
 
mathorv
Old
(Last edited by mathorv; 16th February 2014 at 11:39 AM.)
#1  
mathorv's Avatar
Senior Member - OP
Thanks Meter 64
Posts: 144
Join Date: Jun 2011
Default Rooted Chromecast with Web Panel = Problems with security

I was playing with it only for one few hours...

and I am concerned with current level of security of rooted Chromecast.

If you

reboot wireless router(wireless access point)
OR
wireless router is down/malfunction
OR
communication between Chromecast and wireless router is jammed
OR
someone used Aircrack-ng suite to disconnect Chromecast from wireless router

your Chromecast just created open wireless network for configuration purposes...


and Team-Eureka http panel is accessible at most likely default IP address 192.168.255.253,
also provides you with an IP adress via internal dhcp.

look a bit at config:

http://192.168.255.249/?page=status
and than
http://192.168.255.249/?page=settings

be sure that telnet, ssh, adb are running.

Just connect with telnet or SSH, privledged user is root, there is no password

cat /data/wifi/wpa_supplicant.conf

Code:
ctrl_interface=/data/wifi
update_config=1
country=US

network={
        ssid="my wifi essid"
        scan_ssid=1
        psk=my password on a silver plate in WPA PSK HEX(64 characters)
        proto=RSN
        key_mgmt=WPA-PSK
}
You just owned someone's Chromecast and can abuse his wireless network.
Still got time tinker with Chromecast? Maybe plant some android type of backdoor... NSA style...

How to fix this?

1. be sure that internal web server is not vurnelable.
2. https
3. Http panel accessible only after providing password that is by default for instance sha-1 hash of serial number.
(user may take a picture of his own chromecast and use tool/service to generate hash), it should be changed at first login
4. adb, telnet, ssh disabled by default
5. root password

Basic stuff...
The Following User Says Thank You to mathorv For This Useful Post: [ Click to Expand ]
 
ddggttff3
Old
(Last edited by ddggttff3; 22nd January 2014 at 01:36 PM.)
#2  
ddggttff3's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 755
Posts: 586
Join Date: Dec 2009
Location: Twin Cities, MN

 
DONATE TO ME
First off, if you are worried about our panels security it is open source, so feel free to audit it for any vulnerabilities.

Also, we are working on a new revision of the panel which not only includes password support, but also the ability to set a SSH password. The reason none is set ATM is because by default the root acc on the chromecast has none, so we have a modified dropbear binary that will allow any password to work.

As for HTTPS over the web panel, that will be available, but it will not be "enforced". (at least that is the current plan). We may add a panel option that enforces https though, for users who are concerned about security on their local wireless network.

Now telnets another story, because its generated with busybox its hard to have a password enforced, but you can just disable it. same goes with ADB.

We know right now our services are not the most locked-down, but trust me most of it has already been fixed on our end and these changes will be out with the next OTA
Devices:
Nexus 5
Nexus 7 2013
Samsung Note 10.1
Nexus Q
Too Many Chromecasts

Retired:
GS3, Droid Bionic, N7 2012, Droid X, HTC Vogue
The Following 5 Users Say Thank You to ddggttff3 For This Useful Post: [ Click to Expand ]
 
mathorv
Old
#3  
mathorv's Avatar
Senior Member - OP
Thanks Meter 64
Posts: 144
Join Date: Jun 2011
Quote:
Originally Posted by ddggttff3 View Post
First off, if you are worried about our panels security it is open source, so feel free to audit it for any vulnerabilities.

Also, we are working on a new revision of the panel which not only includes password support, but also the ability to set a SSH password. The reason none is set ATM is because by default the root acc on the chromecast has none, so we have a modified dropbear binary that will allow any password to work.

As for HTTPS over the web panel, that will be available, but it will not be "enforced". (at least that is the current plan). We may add a panel option that enforces https though, for users who are concerned about security on their local wireless network.

Now telnets another story, because its generated with busybox its hard to have a password enforced, but you can just disable it. same goes with ADB.

We know right now our services are not the most locked-down, but trust me most of it has already been fixed on our end and these changes will be out with the next OTA

Thank you for fast and exhaustive answer.

Any "ETA" of build with features you mentioned ?

Is there any roadmap for Eureka-ROM?

Any chance for something dedicated to LAN streaming?
(Chrome full screen is buggy, Plex is $ app, Fling is written in JAVA and no longer in developement.)

If there will be any beta or rc I am willing to participate.(not so many things to test there)
 
ddggttff3
Old
#4  
ddggttff3's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 755
Posts: 586
Join Date: Dec 2009
Location: Twin Cities, MN

 
DONATE TO ME
Quote:
Originally Posted by mathorv View Post
Thank you for fast and exhaustive answer.

Any "ETA" of build with features you mentioned ?

Is there any roadmap for Eureka-ROM?

Any chance for something dedicated to LAN streaming?
(Chrome full screen is buggy, Plex is $ app, Fling is written in JAVA and no longer in developement.)

If there will be any beta or rc I am willing to participate.(not so many things to test there)
We don't really do ETA's but we try to have updates out right after google OTA's, or when there is a severe bug. As for a roadmap, we currently don't have one public due to it constantly changing.

LAN streaming still works with Fling (as we have fling added back to our roms through our whitelist service), but that is all I know of. If other users want to create apps that can utilize fling, that would be awesome.

And last for testing, currently I have more then enough testers for when beta updates roll out. keep your eyes open in the future as I may do open signups again at a later date.
Devices:
Nexus 5
Nexus 7 2013
Samsung Note 10.1
Nexus Q
Too Many Chromecasts

Retired:
GS3, Droid Bionic, N7 2012, Droid X, HTC Vogue
 
Asphyx
Old
#5  
Senior Member
Thanks Meter 208
Posts: 1,416
Join Date: Dec 2007
Well the scenarios you set would apply to non rooted CCasts as well...

If they hacked your wireless with Aircrack to set a disconnect, then you were exposed long before they reconfigured the CCast and they can do a lot more damage with that access without you ever noticing than they could through the CCast.

Your would notice the CCast changing but you wouldn't notice someone hacked your Wireless without looking at the Router Logs or noticing a degraded Network performance.

If these things are a concern for you then I suggest you turn on MAC Filtering on our Router, Set Allows for the CCast and all the devices you own and deny all others.

But the concerns you have exist regardless of a rooted CCast. Leaving a CCast unconnected might expose the CCast to be taken over since it will be an open AP anyone can connect to....And they can Airtcrack you router even with a stock CCast.
But if you see that just look out the window because they would probably have to be sitting on your Porch or parked in your Driveway to do it!

I don't know many Hackers who are THAT Brazen! LOL
 
mathorv
Old
(Last edited by mathorv; 22nd January 2014 at 07:20 PM.)
#6  
mathorv's Avatar
Senior Member - OP
Thanks Meter 64
Posts: 144
Join Date: Jun 2011
Quote:
Originally Posted by Asphyx View Post
Well the scenarios you set would apply to non rooted CCasts as well...

If they hacked your wireless with Aircrack to set a disconnect, then you were exposed long before they reconfigured the CCast and they can do a lot more damage with that access without you ever noticing than they could through the CCast.

Your would notice the CCast changing but you wouldn't notice someone hacked your Wireless without looking at the Router Logs or noticing a degraded Network performance.

If these things are a concern for you then I suggest you turn on MAC Filtering on our Router, Set Allows for the CCast and all the devices you own and deny all others.

But the concerns you have exist regardless of a rooted CCast. Leaving a CCast unconnected might expose the CCast to be taken over since it will be an open AP anyone can connect to....And they can Airtcrack you router even with a stock CCast.
But if you see that just look out the window because they would probably have to be sitting on your Porch or parked in your Driveway to do it!

I don't know many Hackers who are THAT Brazen! LOL
Reconfiguring stock Chromecast is one thing and that's not so much a problem. Attacker don't get password, just info about name of connected network. In that scenario attacker gets essid and handshakes or reconfigure Chromecast wireless settings(essid/password).

Problem is that with rooted attacker has access to adb/telnet/ssh. In that scenario attacker has easy access to essid/password in plain text and may do this unnoticed.

About ranges:
What if someone lives in center of a city? Skyscrapers area?

About suburban area, I am not convinced that people in US live in houses with brick/concrete block walls, this is not EU.

Have you ever used Aircrack-ng suite and some gnu/linux wireless pentesting distro?
You can attach high gain directional antenna to 2000mW wireless card(Alfa brand for instance) and use software tweaks.

Ranges are much higher than you would anticipate.

About Chromecast setting security - yes it is ridiculous.
It asks if you see XYZ9 on a screen. (always click yes - right?)
It should at least ask for some automatically generated password that is visible on the screen...

So for now we may create additional wireless network/VLAN with max one client and connection restrictions...
 
Asphyx
Old
#7  
Senior Member
Thanks Meter 208
Posts: 1,416
Join Date: Dec 2007
Quote:
Originally Posted by mathorv View Post
Have you ever used Aircrack-ng suite and some gnu/linux wireless pentesting distro?
You can attach high gain directional antenna to 2000mW wireless card(Alfa brand for instance) and use software tweaks.
Yes many times and the loopholes you suggest in your scenario are not limited to the Rooted version at all...
Sure there are extra tools in the rooted version that do not exist in the non-rooted....

But the scenario suggested gives you about 30 seconds to get what you want before the router is back up, CCast re-connects and shuts down your session!
And they still have the problem of how to shut down your router or know when it will happen to start working the hack.

Sure someone could probably get what they want in that timeframe..
But someone that good really is not going to be interested in hacking YOU!

Not Unless your some Cartel leader or Bank Executive.

People who have no business rooting anything if they want security....LOL
 
mathorv
Old
(Last edited by mathorv; 23rd January 2014 at 09:13 AM.)
#8  
mathorv's Avatar
Senior Member - OP
Thanks Meter 64
Posts: 144
Join Date: Jun 2011
Quote:
Originally Posted by Asphyx View Post
Yes many times and the loopholes you suggest in your scenario are not limited to the Rooted version at all...
Sure there are extra tools in the rooted version that do not exist in the non-rooted....

But the scenario suggested gives you about 30 seconds to get what you want before the router is back up, CCast re-connects and shuts down your session!
And they still have the problem of how to shut down your router or know when it will happen to start working the hack.

Sure someone could probably get what they want in that timeframe..
But someone that good really is not going to be interested in hacking YOU!

Not Unless your some Cartel leader or Bank Executive.

People who have no business rooting anything if they want security....LOL
@but someone that good really is not going to be interested in hacking YOU!
World is full of sick people, besides, over the years it has become easy, primary school kid can do it, every hacking soft has a GUI now

@ features - it would be nice to override wifi from panel - sometimes chromecast indicates connecting status. at the same time is connected to secure wifi and has open configuration wifi.

@ alpha builds, I would be glad to flash anything newer that does not totally brake chromecast and is safer for now
 
mathorv
Old
#9  
mathorv's Avatar
Senior Member - OP
Thanks Meter 64
Posts: 144
Join Date: Jun 2011
Angry Is web panel risky?

Sorry it's even worse:
1. connect to device if its in open network AP state
2. http://192.168.255.249/?page=debug
3. cat /data/wifi/wpa_supplicant.conf
4. SEND
Gone in less than 30 seconds.
If you found this information helpful please click [THANKS] below
 
ddggttff3
Old
#10  
ddggttff3's Avatar
Recognized Contributor / Recognized Developer
Thanks Meter 755
Posts: 586
Join Date: Dec 2009
Location: Twin Cities, MN

 
DONATE TO ME
Quote:
Originally Posted by mathorv View Post
Sorry it's even worse:
1. connect to device if its in open network AP state
2. http://192.168.255.249/?page=debug
3. cat /data/wifi/wpa_supplicant.conf
4. SEND
Gone in less than 30 seconds.
Good thing devices only are in AP mode for setup. Besides, once the new web panel is released, this will be a non issue.
Devices:
Nexus 5
Nexus 7 2013
Samsung Note 10.1
Nexus Q
Too Many Chromecasts

Retired:
GS3, Droid Bionic, N7 2012, Droid X, HTC Vogue

The Following User Says Thank You to ddggttff3 For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes