I actually can't believe how long this took them to fix.
this post was submitted on 17 Mar 2025
11 points (92.3% liked)
Technology
2515 readers
381 users here now
Which posts fit here?
Anything that is at least tangentially connected to the technology, social media platforms, informational technologies and tech policy.
Rules
1. English only
Title and associated content has to be in English.
2. Use original link
Post URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.
3. Respectful communication
All communication has to be respectful of differing opinions, viewpoints, and experiences.
4. Inclusivity
Everyone is welcome here regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
5. Ad hominem attacks
Any kind of personal attacks are expressly forbidden. If you can't argue your position without attacking a person's character, you already lost the argument.
6. Off-topic tangents
Stay on topic. Keep it relevant.
7. Instance rules may apply
If something is not covered by community rules, but are against lemmy.zip instance rules, they will be enforced.
Companion communities
[email protected]
[email protected]
Icon attribution | Banner attribution
If someone is interested in moderating this community, message @[email protected].
founded 1 year ago
MODERATORS
If the problem is an expired device certificate then this was a very quick turnaround.
All shipped chromecast receiver devices have the device cert private key safely locked behind a TPM. Sending new certificates across the network without carefully planning things gives us a chance to intercept them & use them in our own receiver software which could e.g. download streams from Netflix/ Disney etc.
So you're saying, that a private key within the TEE expired... So they probably had to write a custom TEE program in-order to rotate it? Along with actually securely delivering it.
So... Did we (someone) manage to capture it? Ultimately though each device is going to have to request a new key, so even with a jailbroken TEE you're still only going to be capturing the key for that specific device. The key would be how they implemented the verification that an expired device was allowed to get a new key and that verification.. Idk not an expert in widevine keys and such but I assume that cert chain expired.
Edit: sounds like it wasn't the factory key that expired, just a system level intermediate CA but updating it was still a PITA because of all the cert expiration checks by all the apps. I.e. Google home. Feel free to correct me if I'm incorrectly summarizing. (https://www.reddit.com/r/Chromecast/comments/1j8wtxa/heres_why_a_fix_is_taking_so_long/) Obligatory 🖕 reddit.
Yeah, reading the followup to that post, I think they just created a new intermediate with the same key as the old one & pushed this to chromecasts. I didn't know this was a thing you could do. Learn something new every day 😁.
I've seen enterprise network equipment with this same issue, but the manufacturer instead forced owners to manually renew device certificates. Their device authentication is now broken because the certificate private keys were poorly protected in transit.
I'm wondering now why they didn't just use this key rewrap trick
My short localized minor inconvenience is finally over!
(Or was a couple of days ago)
I'm not sure what a good replacement would be if this hadn't been fixed. The one I first saw suggested used a separate app and there's no way that is being maintained long term.