You may have heard by now that significant numbers of Google’s excellent Chromecast devices — dongles that attach to televisions to display video streams — are being “hijacked” by hackers, forcing attached televisions to display content of the hackers’ choosing. The same exploit permits other tampering with some users’ Chromecasts, including apparently forced reboots, factory resets, and configuration changes. Google Home devices don’t seem to be similarly targeted currently, but they likely are similarly vulnerable.
The underlying technical vulnerability itself has been known for years, and Google has been uninterested in changing it. These devices use several ports for control, and they depend on local network isolation rather than strong authentication for access control.
In theory, if everyone had properly configured Internet routers with bug free firmware, this authentication and control design would likely be adequate. But of course, everyone doesn’t fall into this category.
If those control ports end up accessible to the outside world via unintended port forwarding settings (the UPnP capability in most routers is especially problematic in this regard), the associated devices become vulnerable to remote tampering, and may be discoverable by search engines that specialize in finding and exposing devices in this condition.
Google has their own reasons for not wanting to change the authentication model for these devices, and I’m not going to argue the technical ramifications of their stance right now.
But the manner in which Google has been reacting to this new round of attacks on Chromecast users is all too typical of their continuing user trust failures, others of which I’ve outlined in the recent posts “Can We Trust Google?” (https://lauren.vortex.com/2018/12/10/can-we-trust-google) and “The Death of Google” (https://lauren.vortex.com/2018/10/08/the-death-of-google).
Granted, Chromecast hijacking doesn’t rank at the top of exploits sorted by severity, but Google’s responses to this situation are entirely characteristic of their attitude when faced with such controversies.
To date — as far as I know — Google has simply taken the “pass the buck” approach. In response to media queries about this issue, Google insists that the problem isn’t their fault. They assert that other devices made by other firms can have the same vulnerabilities. They lay the blame on users who have configured their routers incorrectly. And so on.
While we can argue the details of the authentication design that Google is using for these devices, there’s something that I consider to be inarguable: When you blame your users for a problem, you are virtually always on the losing side of the argument.
It’s as if Google just can’t bring itself to admit that anything could be wrong with the Chromecast ecosystem — or other aspects of their vast operating environments.
Forget about who’s to blame for the situation. Instead, how about thinking of ways to assist those users who are being affected or could be affected, without relying on third-party media to provide that kind of help!
Here’s what I’d do if I was making these decisions at Google.
I’d make an official blog post on the appropriate Google blogs alerting Chromecast users to these attacks and explaining how users can check to make sure that their routers are configured to block such exploits. I’d place something similar prominently within the official Chromecast help pages, where many users already affected by the problem would be most likely to initially turn for official “straight from Google” help.
This kind of proactive outreach shouldn’t be a difficult decision for a firm like Google that has so many superlative aspects. But again and again, it seems that Google has some sort of internal compulsion to try minimize such matters and to avoid reaching out to users in such situations, and seems to frequently only really engage publicly in these kinds of circumstances when problems have escalated to the point where Google feels that its back is against the wall and that they have no other choice.
This isn’t rocket science. Hell, it’s not even computer science. We’re talking about demonstrating genuine respect for your users, even if the total number of users affected is relatively small at Google Scale, even if the problems aren’t extreme, even if the problems arguably aren’t even your fault.
It’s baffling. It’s disturbing. And it undermines overall user trust in Google relating to far more critical issues, to the detriment of both Google itself and Google’s users.
And perhaps most importantly, Google could easily improve this situation, if they chose to do so. No new data centers need be built for this purpose, no new code is required.
What’s needed is merely the recognition by Google that despite their great technical prowess, they have failed to really internalize the fact that all users matter — even the ones with limited technical expertise — and that Google’s attitude toward those users who depend on their services matters at least as much as the quality of those services themselves.
–Lauren–