Google fixes critical vulnerabilities in Chromecast devices
Take action: This vulnerability isn't terrible because Chromecast isn't directly exposed to the internet. Nevertheless, there are attack vectors that merit an update. If you are using Chromecast, keep it updated to latest firmware.
Learn More
Google has patched several critical vulnerabilities in Chromecast, disclosed after they were exploited at the HardPwn USA 2023 hardware hacking competition.
The vulnerabilities are tracked as:
- CVE-2023-6181 (CVSS3 score 9.8) - An oversight in BCB handling of reboot reason that allows for persistent code execution
- CVE-2023-48425 (CVSS3 score 9.8) - U-Boot vulnerability resulting in persistent Code Execution
- CVE-2023-48424 (CVSS3 score 9.8) - U-Boot shell vulnerability resulting in Privilege escalation in a production device
- CVE-2023-48417 (CVSS3 score 9.1) - Missing Permission checks resulting in unauthorized access and Manipulation in KeyChainActivity Application
DirectDefense published a blog post detailing the exploit chain which, although not directly enabling remote code execution, could facilitate persistent unauthorized code execution.
The Chromecast devices are not exposed to direct attack from the internet but still there is a risk that malware can be injected into Android TV streaming boxes sold through third-party retailers.
