Re: Chromecast devices?

[Emery Rudolph <erudolph () UMD EDU>]

While not a technical suggestion, I will say this; Technology is progressing faster than is possible to effectively 
address from the standpoint of traditional security means. It is very important avoid stifling these new avenues of 
content delivery and allow this new generation the freedom to explore their uses. In as much as these are un-moderated, 
un-regulated devices, there is little that can be done short of blocking them completely.

There is no difference between a Chromecast device accessing the network over another commodity device (phone, tablet, 
game consoles, etc), as long as these devices utilize high-level encryption WPA-2. Regarding inappropriate content 
broadcast over unsuspecting devices, that will be a problem because the device is inherently designed for open, sharing 
of content, but not necessarily in a large, un-regulated environment like a college dorm. The expectation was that 
people in the same room in a home or otherwise segregated from the greater public network would use these systems.

Eventually someone is going to broadcast sexually, religiously racially inflammatory content to someone, which will 
precipitate some level of scrutiny and policy around their use. This may be as simple as a warning to use at your own 
risk. Outside of providing each user their own hotspot or WIFI SID, there is not much you can do other than warn or 
block. At some point this issue will rise (if not already) to Google as a serious issue, which should prompt additional 
controls to allow users to accept or block content based on a user-defined key or access code. Perhaps Chromecast 2.0.

It may be a prudent move to raise this issue with Google so that they are explicitly aware of the concern.

Very Best Regards,

Emery Rudolph, MS
Manager
IT-ETI-PS Enterprise UNIX Services
University of Maryland
(301) 405-9379
http://www.umd.edu

[University of Maryland]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven 
Bochniewicz
Sent: Wednesday, October 02, 2013 1:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Chromecast devices?

The security fixes are roll-ups of chrome security fixes plus a few to stop device hackers from gaining root.

On Wed, Oct 2, 2013 at 1:11 PM, Joe St Sauver <joe () oregon uoregon edu<mailto:joe () oregon uoregon edu>> wrote:
Joshua commented:

#Chromecast a cheap device that plugs into your TV and allow you to stream
#content from your computer or mobile device to your TV.  We have students
#who have purchased these devices.
#
#My concern is that as soon as you plug a Chromecast device into your TV,
#anyone who has the Chromecast software (free download) can play content
#on your TV (even harassing content or porn).

I was given one of these as a gift by a family member. (Thanks, son!)

The model obviously expects you to be operating in a closed personal
WiFi network, e.g., Ye Olde Family WiFi Private Network.

That "residential deployment model" expects that if Junior or Sissy
injects unacceptable content onto the family Chromecast, "surprising"
the family, Mom or Dad will detect the miscreant involved and discipline
them, likely by confiscating their system or revoking their access to
the family network until that pesron has Gotten the Message (as my
long departed parents used to describe it, way back when).

Clearly this is not a terrific access control model if you've got
500 random people connected to an unsegmented ResHall wireless
network, and of course, most schools aren't very happy if students
attempt to "deal with the issue" by running their own private WiFi
network, subordinate to their institutional connections, either.

A more sophisticated device pairing and authentication model is
obviously needed (but hey, we're talking a $35 device, right?)

I will also add that I'd love to see more specific release notes.
For example, mid September, Chromecast devices got build 13300.
That build included "Security fixes" (see
http://googlechromereleases.blogspot.com/2013/09/chromecast-update.html ),
but, unfortunately, I've not been able to find any additional information
about what those specific "security fixes" actually involved. Anyone
else know?

Regards,

Joe



--
Regards,

Steven Bochniewicz

Sr. IT Security Analyst
Enterprise Risk and Compliance
Steven.Bochniewicz () umuc edu<mailto:Steven.Bochniewicz () umuc edu>