Google has successfully addressed three security vulnerabilities identified in its Chromecast media-streaming devices, fortifying them against potential unauthorized custom OS installations and unsigned code execution. The vulnerabilities, designated as CVE-2023-48424, CVE-2023-48425, and CVE-2023-6181, were rectified with patches released on December 5.
The discovery of these flaws raised concerns over supply chain interception—a method where attackers tamper with legitimate software updates by substituting them with malicious variants. Nolen Johnson, a security consultant with DirectDefense, highlighted the risks associated with purchasing devices from non-official sources, such as eBay and other third-party retailers, where Android TV streaming boxes have been compromised with malware.
To mitigate these risks, Johnson advises Chromecast users to ensure their devices are updated through the Settings app. Google’s prompt response to the reported vulnerabilities included a bug bounty reward for the researchers who uncovered the issues and collaborated with Google to develop the necessary fixes.
The vulnerabilities were found in devices using the Amlogic-based chipset, which, if exploited, could enable hackers to conduct various attacks or gather sensitive information. The researchers also warned of the possibility of pre-installed malware or spyware on used devices, urging consumers to exercise caution when purchasing second-hand hardware. Google’s statement confirmed that no devices were affected prior to the patch, underscoring the importance of maintaining up-to-date security measures.