A closer look into privacy and security of Chromecast multimedia cloud communications

Cloud computing has enabled a wide range of streaming multimedia applications and many HDMI based devices have emerged as a result. Chromecast is one of these devices that plugs into the HDMI port of a larger screen and turns it into a smart screen. With Chromecast, you can stream videos from the cloud onto a larger screen and control it from a mobile device such as a smart-phone, tablet or a laptop. The idea is to cast the multimedia to a larger second screen and use the smaller one as a remote control. A growing number of cloud based multimedia content providers such as YouTube, Netflix, Hulu and HBO are offering applications to support Chromecast streaming for mobile operating systems. This device uses Discovery and Launch (DIAL) protocol, developed by YouTube and Netflix. We examined the network packets exchanged between the smaller remote control device and the Chromecast attached larger screen. While Chromecast encrypts most of the content, remote control device sends control packets to the cloud servers in the clear-text, which makes it vulnerable to reply-attacks or session-hijacking attacks. Besides, data communication with cloud servers leak personal information outside of the home-network, raising privacy concerns. Network protocols used by Chromecast are investigated and known vulnerabilities are listed. A method to detect the existence of Chromecast behind a home-router is proposed.