Originally Posted by MadBob
Yes, but you have to be rooted to do it.
Hence the chicken-and-egg scenario...
The OTA server communication goes through HTTPS, so Chromecast has its security certificate.
If you were to do a MITM attack, you don't have Google's certificate, so the HTTPS request will fail.
It would be easy if you could add your server's certificate to Chromecast.
But that requires having root, which we don't have.
Also, the secure bootloader will only load Google-signed code.
So you'd need to have Google's private key, which nobody but Google has.
Running a custom player app (that runs on Chromecast) to find a vulnerability is challenging too.
In order to run a "custom" player app, you need to sign up to be a Google dev.
The player app will only run for your registered Chromecast(s), not anyone else's.
Adding to that, almost all apps run in a Chrome sandbox.
In order for a player app to run for everybody, it Google has to put it on their whitelist.
Which essentially means even if you were to find a vulnerability, Google would be able to yank your player app almost immediately.
Then Google would patch the exploit and release a new firmware...
Stock Chromecasts auto-update and you can't (yet) choose not
to accept the update, so you can't avoid the update while still being able to use Chromecast (this might
be possible through router blocking/redirection - not sure).
So what does that leave?
-side app that somehow takes advantage of a vulnerability in an existing
Chromecast player app or service.
Google would still be able to force the developer to update the app, or they themselves could update the firmware, but at least a client-side app could be available for Chromecasts with builds still vulnerable to it, similar to how FlashCast is available for Chromecasts that still have the vulnerable bootloader.
...and of course the existing FlashCast for those few Chromecasts that still have the vulnerable bootloader.
Wish I was artsy enough to make an infographic, heh.