Use a method similar to FlashCast(via OTG cable), then, well, run it.
- Non-vulnerable bootloaders will only run Google-signed code.
Thus, FlashCast requires a vulnerable bootloader, and the scenario here is that the unit has already been updated and therefore does not have a vulnerable bootloader. - OTG storage is not accessible in the stock kernel
- You cannot sideload apps on a non-rooted Chromecast, so you can't load exploit apps/software.
- Apps you can run all must be approved through the Google whitelist.
- Apps to gain root violate the terms of the Cast SDK, so don't expect them to get or stay on the whitelist.
- ADB, Telnet and SSH are all disabled without root.
So...
- Boot from OTG and do something, anything
See #1 - Run an exploit from OTG in normal mode
See #2 and #4 - Use a root exploit app like Towelroot, Master Key exploit, etc
See #2 and #3 - Release an exploiter app
See #4 and #5 - Root from PC
See #6 - Flash a pre-rooted ROM
See #1
So regardless of what internal vulnerabilities may exist, if you can't get to those vulnerabilities, they don't matter.
Much like having a weak front door lock on a house in a fortress. Easy to get through the door, but you have to penetrate the fortress first.
That said, there was mention that some exploit for Chromecast is to be released at DefCon, but we'll have to wait to see whether it's an exploit that allows root (hopefully so), and if Google discovers and patches that exploit before then (hopefully not).