Updated 8th of June — See updates from Google and other sources at the bottom

I’ll admit, I’m a bit of a Google fanboy. With the exception of their forgotten password information leaks, they typically build for scale, balancing UX with security typically very well indeed. Alas, such thoroughness doesn’t appear to extend to their Chromecast products. In an age where we’re even concerned about smartphone gyroscope’s sniffing our PINs, I think the humble Chromecast deserves some attention.

Picture the scene. You’re at a party at a friend’s house and they’ve got a Chromecast up. You fancy showing off a website / video / app so you mirror your screen to the big TV they have up. As a security conscious individual you run a PIN or screen lock on your device, because after all — your phone is your master key to your digital life these days. You step away for a moment, locking your screen, and return to sharing your screen.

The secret unlock code is all that stands in the way of terabytes of cat pictures!

Uh, you’ve just broadcast your unlock pattern to the whole party! What about if you use a PIN instead?

It’s broadcast too!

Still, it should be simple to fix right? Simply have Android suspend mirroring when locked — easy fix! I submit to Google:

Alice is at a party. It’s in full swing and there are 8 people in the main living room.



Because she doesn’t know everyone there and is security and privacy conscious, she has a pattern or lock code on her phone to prevent its unauthorised use.



Alice wants to show Bob her an interesting app on her phone, Bob suggests she shows everyone in the room via the Chromecast using screen mirroring so various people can see it.



Alice begins screen mirroring, but then steps away from her phone for a moment, locking it.



When returning to her phone, the first thing she does is unlock it, inadvertently broadcasting her pattern/PIN to the whole room.



Malcom who was also in the room, not paying too much attention up to this point, spotted Alice unlock her phone in Chromecast mirroring mode, and now knows her PIN/pattern without being seen to even shoulder-surf.



The next time Alice steps away from her phone, Malcom can grab it, unlock it and invade Alice’s privacy, send abusive messages or even install a backdoor app.

What does Google say?

We won’t track this as a security issue. As you pointed out, Alice as a security conscious person would disable mirroring before entering the pin code. You can do that from locked phone. Also there is a pattern option that does not show the pattern.

So there you have it folks. Rather than automatically suspending screen mirroring when your screen is locked, Google wants you to stop mirroring, unlock and re-mirror every time. I believe this to be an obvious design oversight that quite unnecessarily renders locked devices vulnerable in common social situations. Happy Chromecasting!

Updates!

I take real issue with certain elements of the infosec community. My post to /r/Android whilst gathering some horrible feedback, was actually removed for the reason of “No reposts, spam or rehosted content.”

So don’t be an idiot and leave your phone connected to Chromecast while idling and you are physically away from it. The quick fix is by disconnecting the cast before you leave. Or put on a longer screen timeout.

Because security is something a ‘smart’ user should have to configure rather than something there by default obviously. Twats.

Fortunately Twitter user @WhyAyeMac reached out and identified that this was in fact fixed in Android Oreo:

Passing this to Google, they had it checked out by the product team and finally admitted this was an issue!

Thank you for the report. We reviewed the provided information and

have determined that it is a duplicate of an existing, already-tracked

bug. Sorry about that — and keep up the good work!



Regards,

Google Security Bot

So no fame and fortune for me alas. But what have be we learned? It’s always cheaper to deny the security issues of your emergent technology paradigms than to design it securely from the ground up — in fact your fan boys will help you in your efforts to do so!