Educause Security Discussion mailing list archives

Re: Chromecast devices?

From: Dexter Caldwell <dexter.caldwell () FURMAN EDU>
Date: Wed, 9 Oct 2013 20:07:33 +0000

Agree.  Currently if devices don't do 802.1x we require them to be wired.  Ex, gaming devices.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian 
Helman
Sent: Wednesday, October 09, 2013 1:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Chromecast devices?

I'll have to bring one of my ChromeCasts in to see how our NAC identifies it.  We rate-shape video over our wireless 
network to preserve bandwidth.  We're a little more lenient on the wired network.   It also doesn't appear to support 
802.11x (only based on what I'm finding on the 'net.  I'll have to verify that too).   I think trying to duct tape 
consumer products into enterprise usage is not a good security position though.

-Brian

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dexter 
Caldwell
Sent: Wednesday, October 09, 2013 4:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Chromecast devices?

In theory you should be able to use a NAC to require these to be registered before accessing your wireless network.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian 
Helman
Sent: Friday, October 4, 2013 12:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Chromecast devices?

I bought a couple of these to play around with.  When in use, it's a relatively quiet device.  When not in use, it 
beacons quite a bit.  From a Networking viewpoint, I am not liking what I am seeing.

You are correct about the (lack of) security.  I read last week that Google will be pushing a code update out to the 
units over the next few weeks.  If your (or your students') units are able to access the Internet, they will get the 
update automatically.  Unlike the AppleTV or GoogleTV, you have no access to a Systems menu to force the upgrade.

We have 2000 resident students.  The last scan I performed found 120 unauthorized wireless devices in our res halls 
(routers, myfi's, wireless printers, apple/googleTV's).  We are starting to crack down on these.  It's a losing battle, 
but every little bit helps.  And yes, at $35 the ChromeCasts are going to pop up.  Luckily it looks like the only way 
to get them right now is from Google, so they aren't quite as convenient to acquire as the other devices.

FYI my device has not yet updated.  I may reset it to see if it forces an upgrade.

-Brian

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Joe St Sauver 
[joe () OREGON UOREGON EDU]
Sent: Wednesday, October 02, 2013 1:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Chromecast devices?

Joshua commented:

#Chromecast a cheap device that plugs into your TV and allow you to stream #content from your computer or mobile device 
to your TV.  We have students #who have purchased these devices.
#
#My concern is that as soon as you plug a Chromecast device into your TV, #anyone who has the Chromecast software (free 
download) can play content #on your TV (even harassing content or porn).

I was given one of these as a gift by a family member. (Thanks, son!)

The model obviously expects you to be operating in a closed personal WiFi network, e.g., Ye Olde Family WiFi Private 
Network.

That "residential deployment model" expects that if Junior or Sissy injects unacceptable content onto the family 
Chromecast, "surprising"
the family, Mom or Dad will detect the miscreant involved and discipline them, likely by confiscating their system or 
revoking their access to the family network until that pesron has Gotten the Message (as my long departed parents used 
to describe it, way back when).

Clearly this is not a terrific access control model if you've got
500 random people connected to an unsegmented ResHall wireless network, and of course, most schools aren't very happy 
if students attempt to "deal with the issue" by running their own private WiFi network, subordinate to their 
institutional connections, either.

A more sophisticated device pairing and authentication model is obviously needed (but hey, we're talking a $35 device, 
right?)

I will also add that I'd love to see more specific release notes.
For example, mid September, Chromecast devices got build 13300.
That build included "Security fixes" (see http://googlechromereleases.blogspot.com/2013/09/chromecast-update.html ), 
but, unfortunately, I've not been able to find any additional information about what those specific "security fixes" 
actually involved. Anyone else know?

Regards,

Joe

Current thread:

Chromecast devices? Jones, Joshua (Oct 02)
- <Possible follow-ups>
- Re: Chromecast devices? Joe St Sauver (Oct 02)
  - Re: Chromecast devices? Steven Bochniewicz (Oct 02)
    - Re: Chromecast devices? Emery Rudolph (Oct 02)
  - Re: Chromecast devices? Brian Helman (Oct 03)
    - Re: Chromecast devices? Dexter Caldwell (Oct 09)
    - Re: Chromecast devices? Brian Helman (Oct 09)
    - Re: Chromecast devices? Dexter Caldwell (Oct 09)
    - Re: Chromecast devices? SCHALIP, MICHAEL (Oct 10)