Hacker Gadget Hijacks Google Chromecast, Rickrolls TVs
Credit: Rick Astley
UPDATE 7/16/2014 2:00pm EST: We clarified the way the RickMote accesses the targeted home Wi-Fi network.
You're sitting at home watching TV with your Google Chromecast when all of a sudden "Hemlock Grove" turns into a YouTube video of Rick Astley juking and jiving to his 1987 hit "Never Gonna Give You Up." You've been Rickrolled! But how?
The answer might be the Rickmote, a small computerized Wi-Fi controller designed and assembled by hacker and security researcher Dan Petro that was described to Wired News's Andy Greenberg. Built for less than $100, the Rickmote will try to hijack any Chromecast device within Wi-Fi range and replace the video stream with content of the hacker's choosing, such as the music video that has become the punchline of countless Internet-based pranks.
hoenix-based security consulting firm Bishop Fox, where Petro is a senior analyst, put together a video showing what the hack looks like from a target's perspective.
The Rickmote's heart is a Raspberry Pi, a simple and lightweight single-board computer about the size of a credit card. It also uses a touchscreen, a couple of output jacks and at least two wireless cards, all of which are housed in a 3D-printed case. The Raspberry Pi, which runs Linux, is loaded with Aircrack, an open-source application that tries to break into protected Wi-Fi networks, including those protected by the WEP, WPA and WPA2-PSK protocols, by cracking their passwords.
Full details of how the Rickmote hijacks a Chromecast will be revealed at this weekend's HOPE X hacker conference in New York, but from what we can glean, the hack appears to be quite possible — and even fairly straightforward.
To use a Rickmote, you have to be within range of the Wi-Fi network the targeted Chromecast is on. Even if the Wi-Fi network is secured, the Rickmote uses Aircrack to spoof the network's de-authenticate packets, as a Bishop Fox representative told us. "No matter how secure your home network is, it can't stop the Rickroll!" the representative told us.
Next, the RickMote sends a "deauth" (deauthorize) command to the targeted Chromecast device and the home network's wireless router, removing the Chromecast from the home network.
Google made it very easy for Chromecasts to connect to Wi-Fi networks, so that even the most tech-challenged customers can use them with ease. But in the presence of the Rickmote, what Google calls a feature becomes what security researchers would call a bug.
Thanks to this feature/bug, the Rickmote can easily establish a new connection with the Chromecast, which allows the Rickmote to reconfigure it. Within seconds, the Chromecast is bringing Rick Astley to the TV screen.
The switch from TV to Rick Astley isn't instantaneous, however; it takes about 30 seconds for the attack to complete. In the meantime, the prank's targets will see screens notifying them of the networks being disconnected and connected. P
Petro says the Rickmote can do more than just Rickroll: it can tell the Chromecast to play just about any content to which that Chromecast has access, from YouTube, Netflix, HBO Go or more.
Petro told Google about his Rickroll hack, but says Google responded that because the "bug" enables Chromecast's easy setup, Google can't easily patch it, as Petro told Greenberg.
Petro also discovered a more serious bug in Chromecast that might create a vulnerability that hackers could exploit to steal Wi-Fi credentials, including passwords. However, Petro told Greenberg he hasn't sufficiently studied the potential bug enough yet to come to any definitive conclusions.
Petro will present his Rickmote in New York City this weekend at the Hackers on Planet Earth (HOPE X) conference. Petro also says he'll release an updated device that will fully automate the hacking and rickrolling process.
"Let the prank war commence," his HOPE X presentation blurb concludes.
- 7 Scariest Security Threats headed Your Way
- How to Hack Other People's Drones for Less than $400
- 9 Tips to Stay Safe on Public Wi-Fi