Google's Reaction to Chromecast Hijacking Is Another User Trust Failure
https://lauren.vortex.com/2019/01/04/googles-reaction-to-chromecast-hijacking-is-another-user-trust-failure
You may have heard by now that significant numbers of Google's
excellent Chromecast devices -- dongles that attach to televisions to
display video streams -- are being "hijacked" by hackers, forcing
attached televisions to display content of the hackers' choosing. The
same exploit permits other tampering with some users' Chromecasts,
including apparently forced reboots, factory resets, and configuration
changes. Google Home devices don't seem to be similarly targeted
currently, but they likely are similarly vulnerable.
The underlying technical vulnerability itself has been known for
years, and Google has been uninterested in changing it. These devices
use several ports for control, and they depend on local network
isolation rather than strong authentication for access control.
In theory, if everyone had properly configured Internet routers with
bug free firmware, this authentication and control design would likely
be adequate. But of course, everyone doesn't fall into this category.
If those control ports end up accessible to the outside world via
unintended port forwarding settings (the UPnP capability in most
routers is especially problematic in this regard), the associated
devices become vulnerable to remote tampering, and may be discoverable
by search engines that specialize in finding and exposing devices in
this condition.
Google has their own reasons for not wanting to change the
authentication model for these devices, and I'm not going to argue the
technical ramifications of their stance right now.
But the manner in which Google has been reacting to this new round of
attacks on Chromecast users is all too typical of their continuing
user trust failures, others of which I've outlined in the recent posts
"Can We Trust Google?"
( https://lauren.vortex.com/2018/12/10/can-we-trust-google ) and
"The Death of Google" ( https://lauren.vortex.com/2018/10/08/the-death-of-google ).
Granted, Chromecast hijacking doesn't rank at the top of exploits
sorted by severity, but Google's responses to this situation are
entirely characteristic of their attitude when faced with such
controversies.
To date -- as far as I know -- Google has simply taken the "pass the
buck" approach. In response to media queries about this issue, Google
insists that the problem isn't their fault. They assert that other
devices made by other firms can have the same vulnerabilities. They
lay the blame on users who have configured their routers incorrectly.
And so on.
While we can argue the details of the authentication design that
Google is using for these devices, there's something that I consider
to be inarguable: When you blame your users for a problem, you are
virtually always on the losing side of the argument.
It's as if Google just can't bring itself to admit that anything could
be wrong with the Chromecast ecosystem -- or other aspects of their
vast operating environments.
Forget about who's to blame for the situation. Instead, how about
thinking of ways to assist those users who are being affected or could
be affected, without relying on third-party media to provide that kind
of help!
Here's what I'd do if I was making these decisions at Google.
I'd make an official blog post on the appropriate Google blogs
alerting Chromecast users to these attacks and explaining how users
can check to make sure that their routers are configured to block such
exploits. I'd place something similar prominently within the official
Chromecast help pages, where many users already affected by the
problem would be most likely to initially turn for official "straight
from Google" help.
This kind of proactive outreach shouldn't be a difficult decision for
a firm like Google that has so many superlative aspects. But again and
again, it seems that Google has some sort of internal compulsion to
try minimize such matters and to avoid reaching out to users in such
situations, and seems to frequently only really engage publicly in
these kinds of circumstances when problems have escalated to the point
where Google feels that its back is against the wall and that they
have no other choice.
This isn't rocket science. Hell, it's not even computer science. We're
talking about demonstrating genuine respect for your users, even if
the total number of users affected is relatively small at Google
Scale, even if the problems aren't extreme, even if the problems
arguably aren't even your fault.
It's baffling. It's disturbing. And it undermines overall user trust
in Google relating to far more critical issues, to the detriment of
both Google itself and Google's users.
And perhaps most importantly, Google could easily improve this
situation, if they chose to do so. No new data centers need be built
for this purpose, no new code is required.
What's needed is merely the recognition by Google that despite their
great technical prowess, they have failed to really internalize the
fact that all users matter -- even the ones with limited technical
expertise -- and that Google's attitude toward those users who depend
on their services matters at least as much as the quality of those
services themselves.
- - -
Request invite to my new private discussion forum: [email protected]
--Lauren--
Lauren Weinstein ([email protected]): https://www.vortex.com/lauren
Lauren's Blog: https://lauren.vortex.com
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility: https://www.pfir.org/pfir-info
Member: ACM Committee on Computers and Public Policy
Google+: https://google.com/+LaurenWeinstein
Twitter: https://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800
_______________________________________________
nnsquad mailing list
https://lists.nnsquad.org/mailman/listinfo/nnsquad
