Embedded Files
Test Cases
Test Cases
Static Analyzer Results
Static Analyzer Results
(1) AST of method: a(java.lang.String,java.lang.String) class: com.google.android.apps.chromecast.app.n.k
Unique Nodes with their domain types.
Node(Input Param): s Domain Type: plaintextNode(Input Param): s2 Domain Type: publicKeyNode: final byte[] decode = Base64.decode(s2, 0) Domain Type: publicKeyNode: Base64.decode(s2, 0) Domain Type: publicKeyNode: decode Domain Type: publicKeyNode: final byte[] array = new byte[k.a.length + decode.length] Domain Type: publicKeyNode: new byte[k.a.length + decode.length] Domain Type: publicKeyNode: array Domain Type: publicKeyNode: k.a Domain Type: publicKeyNode: final PublicKey generatePublic = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(array)) Domain Type: publicKeyNode: KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(array)) Domain Type: publicKeyNode: generatePublic Domain Type: publicKeyNode: new X509EncodedKeySpec(array) Domain Type: encodedKey -> publicKeyNode: final Cipher instance = Cipher.getInstance("RSA/None/PKCS1Padding", "BC") Domain Type: asymmetricNode: Cipher.getInstance("RSA/None/PKCS1Padding", "BC") Domain Type: asymmetricNode: instance Domain Type: asymmetricNode: instance.init(1, generatePublic) Domain Type: encryptionNode: instance.doFinal(s.getBytes()) Domain Type: ciphertextNode(Return Statement): return Base64.encodeToString(instance.doFinal(s.getBytes()), 2); Domain Type: ciphertextNode: s.getBytes() Domain Type: plaintext
a(java.lang.String,java.lang.String)_0.txt.gv.pdf(2) AST of method: a(android.util.SparseArray,com.google.android.apps.chromecast.app.n.k) class: com.google.android.apps.chromecast.app.cp
Unique Nodes with their domain types.
Node: com.google.android.apps.chromecast.app.n.k.a(this.x.e(), this.w.L().y()) Domain Type: ciphertextNode(Input Param): paramSparseArray Domain Type: ciphertext
a(android.util.SparseArray,com.google.android.apps.chromecast.app.n.k)_55.txt.gv.pdf(3) AST of method: a(i,X509Certificate) class: com.google.android.apps.chromecast.app.s.e
Unique Nodes with their domain types.
Node: publicKey Domain Type: cert public_keyNode: x509Certificate.getPublicKey() Domain Type: cert public_keyNode(Input Param): x509Certificate Domain Type: certificateNode: array Domain Type: original_text -> hashNode: PublicKey publicKey Domain Type: cert public_key
a(i,X509Certificate)_2.txt.gv.pdf(4) AST of method: a(byte[]) class: com.google.android.apps.chromecast.app.s.e
Unique Nodes with their domain types.
Node: MessageDigest.getInstance("SHA1").digest(digest) Domain Type: original_text -> hashNode: MessageDigest.getInstance("SHA1") Domain Type: hashNode(Input Param): digest Domain Type: original_text -> hash
a(byte[])_3.txt.gv.pdfSpecification
Specification
The extracted specification of the Chromecast system as a list of Protocol Information (PIL)
PIL1 = ['1','SD, CP, wifi0', 'msg=(ChromecastWiFiBeacon,SSID,BSSID)', 'ACSeq=<(SD,send,{msg}),(CP,receive, {msg})>', 'ch=wifi0', 'rLC=-', 'BR={1}']PIL2 = ['2', 'CP, SD, wifi0', 'msg=(SSID, OpenSystemAuthenticationRequest)', 'ACSeq =<(CP,send,{msg}),(SD,receive, {msg})>', 'ch=wifi0', 'rLC=-', 'BR={-}']PIL3 = ['3', 'SD,CP,wifi0', 'msg=(AssociationResponse)', 'ACSeq =<(SD,send,{msg}),(CP,receive, {msg})>', 'ch=wifi0', 'rLC=-', 'BR={6,8,10,12,16}']PIL4 = ['4','CP,SD,openwifi','msg=(GetEurekaInfo,SignRParam,VersionRParam,NameRParam,SetupStateRParam,EthernetConnectedRParam,IPaddressRParam,SsdpUdnRParam,Model NameRParam,DeviceCapabilitiesRParam,SSIDSuffixRParam,TosAcceptedRP aram,PublicKeyRParam,BSSIDRParam,x)', 'ACSeq=<(CP,newnonce,{x}), (CP,send,{msg}), (SD,receive, {msg})>', 'ch=openwifi', 'rLC=-', 'BR={-}']PIL5 = ['5', 'SD,CP,openwifi', 'msg=(Version,Name,SetupState,EthernetConnected,IPaddress,SsdpUdn,ModelName,DeviceCapabilities,SSIDSuffix,TosAccepted,BSSID,PublickKey,Certificate, IntermediateCerts,SignedData,x}', 'ACSeq=<(SD,send,{msg}),(CP,receive,{msg})>', 'ch=openwifi', 'rLC=-', 'BR={4}']PIL6 = ['6', 'CP,SD,openwifi', 'msg=(PostScanWifi)', 'ACSeq=<(CP,send,{msg}),(SD,receive,{msg}),(SD, executeCommand, {msg})>', 'ch=openwifi', 'rLC=-', 'BR={-}' ]PIL7 = ['7','SD,CP,openwifi','msg=(SuccessScanRequest)', 'ACSeq=<(SD,send,{msg}),(CP,receive, {msg})>', 'ch=wifi', 'rLC=-', 'BR={6}']PIL8 = ['8', 'CP,SD,openwifi', 'msg=(GetScanResults)', 'ACSeq=<(CP,send,{msg}),(SD,receive, {msg})>','ch=openwifi', 'rLC=-', 'BR={-}']PIL9 = ['9', 'SD,CP,openwifi', 'msg=(HomeWifiSSID,HomeWifiBSSID,Frequency,SignalLevel,WPAAuth7, WPACiper4)', 'ACSeq =<(SD,send,{msg}),(CP,receive,{msg})>' , 'ch=openwifi', 'rLC=-', 'BR={8}']PIL10 = ['10', 'CP,SD,openwifi', 'msg=(PostConnectWifi,SSID,aenc(Password,PublicKey),WPAAuth7,WPACiper4)', 'ACSeq =<(CP,send,{msg}), (SD,receive,{msg})>', 'ch=openwifi','rLC=-', 'BR={-}']PIL11 = ['11','SD,CP,openwifi', 'msg=(SuccessConnectRequest, adec(aenc(Password,PublicKey),PrivateKey), PrivateKey))', 'ACSeq =<(SD, send,{msg}),(CP,receive,{msg})>', 'ch=openwifi', 'rLC=-', 'BR={-}']PIL12 = ['12', 'CP,SD,openwifi', 'msg=(GetEurekaInfo,IPaddressRParam,VersionRParam,SetupStateRParam)', 'ACSeq =<(CP,send,{msg}),(SD,receive,{msg})>','ch=openwifi', 'rLC=-', 'R={-}']PIL13 = ['13', 'SD,CP,openwifi', 'msg=(NewIPAddress,Version,NewSetupState)', 'ACSeq =<(SD, send,{msg}),(CP,receive,{msg})>', 'ch=openwifi', 'rLC=-', 'BR={12}']PIL14 = ['14', 'CP,SD,openwifi', 'msg=(PostSetEurekaInfo,NewName,OptInStatusTrue)', 'ACSeq =<(CP, send,{msg}),(SD,receive,{msg})>', 'ch=openwifi', 'rLC=-', 'BR={-}']PIL15 = ['15', 'SD,CP,openwifi', 'msg=(SuccessSetRequest)', 'ACSeq =<(SD, send,{msg}),(CP,receive,{msg})>', 'ch=openwifi', 'rLC=-', 'BR={14}']PIL16 = ['16', 'CP,SD,openwifi', 'msg=(PostSaveWifi,ImmediateTrue)', 'ACSeq =<(CP,send,{msg}),(SD,receive,{msg})>', 'ch=openwifi', 'rLC=-', 'BR={-}']PIL17 = ['17', 'SD,CP,openwifi', 'msg=(SuccessSaveRequest)', 'ACSeq =<(SD, send,{msg}),(CP,receive,{msg})>', 'ch=openwifi', 'rLC=-', 'BR={16}']PIL18 = ['18', 'CP,SD,wifi', 'msg=(MDNSDiscoveryRequest)', 'ACSeq =<(CP,send,{msg}),(SD,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={18}']PIL19 = ['19', 'SD,CP,wifi', 'msg=(MDNSDiscoveryResponse)', 'ACSeq =<(SD, send,{msg}),(CP,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL20 = ['20', 'SD, GS,wifi', 'msg=(ValidScreenID)', 'ACSeq =<(SD, send,{msg}),(GS,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL21 = ['21', 'CP, SD,wifi', 'msg=(GetMdxSessionStatus)', 'ACSeq =<(CP, send,{msg}),(SD,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL22 = ['22', 'SD, CP,wifi', 'msg=(ScreenID)', 'ACSeq =<(SD,send,{msg}),(CP,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL23 = ['23', 'CP, GS,wifi', 'msg=(GetLoungToken,ScreenID)', 'ACSeq =<(CP, send,{msg}),(GS,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={- }']PIL24 = ['24', 'GS,CP,wifi', 'msg=(association(ScreenID),Expiration,ScreenID)', 'ACSeq =<(GS, send,{msg}),(GS, executeCommand, {SaveMapScreenIDandAssoc}),(CP,receive,{msg}),(CP,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={25,27}']PIL25 = ['25', 'CP, GS,wifi', 'msg=(GetScreenAvailability,association(ScreenID))', 'ACSeq =<(CP,send, {msg}),(GS,receive,{msg}),(GS,verify,{msg}),(GS,executeCommand,{msg})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL26 = ['26', 'GS, CP,wifi', 'msg=(AvailabilityResponse,association(ScreenID))', 'ACSeq =<(GS, send,{msg}),(CP,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={25}']PIL27 = ['27', 'CP, GS,wifi', 'msg=(PostBindRequest,association(ScreenID),Device,ID,ControlPointName, AppName,MethodSetPlayList,VideoID)', 'ACSeq =<(CP, send,{msg}),(GS,receive,{msg}),(GS,verify,{assoc(ScreenID),ValidScreenID})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL28 = ['28', 'GS, CP,wifi', 'msg=(CurrentVideoID,SID,GsessionID,LoungStatus,PlaylistModified, OnAutoplayModeChanged,OnPlaylistModeChanged)', 'ACSeq =<(GS,executeCommand,{StreamVideoID}),(GS,send,{msg}),(CP,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={27,29}']PIL29 = ['29', 'CP, GS,wifi', 'msg=(PostBindRequest,association(ScreenID),Device,ID,ControlPointName, AppName,MethodSetPlayList)', 'ACSeq =<(CP,send,{msg}),(GS,receive, {msg}),(GS,verify(association(ScreenID),ValidScreenID)))>', 'ch=wifi', 'rLC=-', 'BR={- }']PIL30 = ['30', 'GS, CP,wifi', 'msg=(CurrentVideoID,SID,GsessionID,LoungStatus,PlaylistModified, OnAutoplayModeChanged,OnPlaylistModeChanged)', 'ACSeq =<(GS,send,{msg}),(CP,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={29}']Generated LTSs
Generated LTSs
The Local LTS of the Chromecast CP, SD and GS generated by HomeScan.
Chromecast CP
Chromecast CP
Gen_Chromecast_CP.pdfChromecast SD
Chromecast SD
Gen_Chromecast_SD.pdfChromecast GS
Chromecast GS
Gen_Chromecast_GS.pdfAttacker Models
Attacker Models
Model, Attacker and Security Properties
Chromecast.cspFindings
Findings
Chromecast Attack Demo Videos
Chromecast Attack Demo Videos
The CP of both systems discovers the SD by the MAC address pattern (e.g., “D0:71:23” for LIFX and “FA:8F:CA” for Chromecast) of its Wi-Fi hotspot which is assigned by their manufacturers. As a consequence, these CPs are vulnerable to connecting to a fake SD’s hotspot with a valid MAC address pattern. Furthermore, it is common that the CP in smart home systems sends the SSID and password of the home Wi-Fi over the SD’s open hotspot while configuring the system.
Due to the lack of user authentication at the CP, any CP which joins the home Wi-Fi can obtain the identity of the current/last YouTube VideoID, while the current user is watching or while the TV shows “Ready to Watch” text on the screen(this text lasts 5 minutes from the time of casting a video stops). This vulnerability holds in both cases where the video is public and private. As a consequence, an attacker can obtain the identity of a private YouTube video and send the PostBindRequest to cast the private video of a victim user.
Google Sites
Report abuse