“Rickmote” box Rickrolls Chromecast, forcibly earworms hapless victims

Image courtesy of Dan Petro, Bishop Fox IT

Rick Astley. Wikimedia Commons image.Just when you thought it was safely de-Rick-Astley-ified, the world – or, at least, Chromecast viewers – are once again in danger of being Rickrolled.

Dan Petro, a security analyst for the Bishop Fox IT consultancy, has built a proof of concept device that’s able to hack into nearby Google Chromecasts and saturate the surrounding living room with inescapable 1980s pop music and haircuts.

With a single click on the big Rickroll button – featuring the face of 1980s pop phenom Rick Astley, of course – the Rickmote takes over and projects his famous “Never Gonna Give You Up” video (or whatever video the Chromecast-jacker chooses to inflict).

It’s then pretty difficult to get control back. Even turning the Chromecast off and on again won’t stop it from constantly reconnecting to the Rickmote.

As Petro ominously told Business Insider:

Thus the Rickroll keeps going indefinitely.

Victims have to just lie down and take it until somebody crushes the Rickmote or the attacker moves out of range.

The Rickmote is built on top of a Raspberry Pi: a credit-card-sized, single-board computer.
Image courtesy of Dan Petro, Bishop Fox IT

The Rickrolling starts when a Rickttacker boots up the device, signaling it to find a local Chromecast, kick it off the network, and plug in its own video.

Bishop Fox is promising a breakdown of the Rickmote at Black Hat Tools Arsenal USA on 6 August, with a step-by-step guide on how to create a Rickmote Controller out of a Raspberry Pi.

Petro explained the security hole that the Rickmote exploits in a presentation at ToorCon 15 (2013).

In that presentation, Petro says he wanted to hack TV broadcasts as soon as he saw how nicely it was done in Iron Man 2, but it wasn’t until Google came out with Chromecast that the Hollywood version entered the real world: namely, he finally had a WiFi signal to pick apart to get the job done.

Chromecast, an HDMI dongle, is Google’s digital media player. It plays audio/video content on a high-definition display by directly streaming it via WiFi from the internet or a local network.

Chromecast is very user friendly, Petro says, which translates, in security researcher terms, into “oh, goodie”:

It just kind of like automagically works, which from a user's perspective is totally awesome. And it is really is amazing easy to set up, which usually means amazingly insecure.

In a nutshell, Petro describes in his YouTube video, the device floods any nearby Chromecasts with deauthorisation commands. Those are sent unencrypted, meaning devices (such as the Rickmote) can send the commands even if they’re not on the network.

This is actually a fairly common quirk among WiFi devices.

Chromecast responds by going back into configuration mode and starts to broadcast its own WiFi.

A Rickmote can then connect to and configure the device, telling the Chromecast to reconnect to the Rickmote’s own WiFi network.

Thus, Rickrolling or other forms of video torture are free to commence.

Bishop Fox says the Rickmote is an open-source program “designed to make pranking your friends and neighbors easy”, with automated identification, targeting and video playing to all Chromecast-attached TVs in WiFi range.

Well, this is certainly not the first security-related Rickroll.

Security expert Dan Kaminsky in April 2008 had already shown security vulnerabilities that could lead to earworm infection, when he set up Rickrolls on Facebook and PayPal as a means of illustrating serious holes.

But we ain’t seen nothin’ yet. Just wait until the Mandalay Bay resort lets its Black Hat attendees loose on the streets of Las Vegas following Petro’s presentation on 6 August.

Or, as Petro writes:

One click is all it takes — and Rick Astley runs wild!

Rick Astley Tivoli Gardens” by Michael Alø-Nielsen – originally posted to Flickr as Rick Astley. Licensed under CC BY 2.0 via Wikimedia Commons.

Image of Rickmote courtesy of Dan Petro, Bishop Fox IT