Last week, Google alerted its users to the fix of Chromecast vulnerabilities, as part of the December Android security updates. The update specifically targets three vulnerabilities affecting AMLogic chips, honing in on the U-Boot subcomponent and a KeyChain issue within the System component.
These vulnerabilities first surfaced in July during the HardPwn USA 2023 hardware hacking competition, held alongside the Hardwear.io conference in California. Notably, Google, Meta, and Parrot products were the focal points of the targeted attacks. At the competition, researchers earned varying amounts ranging from a few hundred dollars to tens of thousands for successfully exploiting Chromecast vulnerabilities.
Acknowledging the efforts of security researchers, Google credited Nolen Johnson of DirectDefense, Jan Altensen, and Ray Volpe for identifying CVE-2023-6181 and CVE-2023-48425. Lennert Wouters, rqu, and Thomas Roth (stacksmashing) were credited for CVE-2023-48424, while Rocco Calvi (TecR0c) and SickCodes were acknowledged for CVE-2023-48417.
DirectDefense shed light on a full Secure Boot exploit chain in a recent blog post, authored by Johnson, Altensen, and Volpe. Despite not disclosing the exact bug bounty amount, the researchers emphasized that their exploit doesn’t directly enable remote code execution. However, it could facilitate an attacker in achieving persistent code execution without the victim’s awareness.
The primary concern, as highlighted by Johnson, revolves around potential supply chain interceptions on platforms like eBay and other third-party retailers. This is particularly worrisome as Android TV streaming boxes obtained through these channels have demonstrated susceptibility to malware injection.
The researchers outlined three attack vectors, including eMMC fault injection, Android Verified Boot bypass, and Bootloader Control Block (BCB) persistence method. The BCB persistence method, in particular, enables persistent hacking of the device without the user’s knowledge, emphasizing the vulnerability to supply chain attacks.
TecR0c and Sick Codes revealed that their KeyChain exploit earned them $500, unveiling Android vulnerabilities currently under review by Google. Their exploit, potentially exploitable by any installed application with Intent-sending capabilities, could lead to unauthorized operations and compromise sensitive information.
Wouters, rqu, and Roth detailed a Chromecast exploit earning them over $68,000. Their attack, requiring temporary physical access to the device, is primarily useful for “evil-maid,” supply-chain attacks, and data recovery from lost or stolen devices. By corrupting signals during the boot process, they gained access to the bootloader and executed code with maximum permissions, compromising the Chromecast invisibly to the user.