While the amount of power that a Chromecast draws is negligible, and turning it off and on may actually increase power usage due to power required to boot the thing, I’ve changed my mind on best practices here based on a Chromecast Rickroll method invented last year and popularized last week with the implementation of a physical device. I think you should unplug your Chromecast when not in use if you have close neighbors or live in an apartment.
The TL;DR version of this article is: there’s a potential security concern, probably only worrisome at the moment if you have jerks for neighbors. It may become worse in time.
The exploit works in the following manner: a device sniffs WiFi for Chromecasts (which I believe can be easily determined by their MAC addresses). When when one is found it knocks it off your network by sending it a series of deauth commands. The attacked Chromecast subsequently kicks into setup mode since it’s not connected to a network any more and can then be configured to play anything the attacker wants. The whole process takes 5-10 seconds.
My initial concern was that could be used to access information that would have the FBI breaking down your door, but as the Chromecast has to be configured to talk to a WiFi hotspot, it’s only talking to the attacker’s connection. They probably don’t have access to your network.
So at the moment, no worries about a Chromecast giving out your WiFi password or doing something so illegal on your internet connection that it warrants a police response. But that’s at the moment.
There hasn’t been a root exploit for the Chromecasts for a while, but that’s not to say there won’t be one again that could allow password or profile retrieval or to do something nasty.
What’s most concerning at the moment is that knocking a Chromecast off of your network is relatively easy to accomplish, which means if you have neighbors who are jerks they can knock your device off, reconfigure it to their internet or intranet, and have your Chromecast streaming donkey tea parties 24/7.
You’ll also have to reset your Chromecast in order to gain control of it again, as it won’t appear while connected to their network, but an attacker can just knock you right back off and start back up with the video streaming.
The attack is more of a nuisance than a real security concern at the moment, but it does show that the Chromecast is a pretty insecure device insofar as anyone within WiFi range can do whatever they want to do with it.
A concern here is using the Chromecast as a universal remote to whatever device it’s plugged into. While it doesn’t appear that you can shut off a TV, the Chromecast does have the ability to turn on the TV and potentially to switch the inputs and control the volume.
The thought of 3:00 a.m. donkeys bleating about Earl Grey from a TV connected to a hacked Chromecast is what I imagine the practical application for hacking will be. That or your unsuspecting neighbor gets infected with malware that locates Chromecasts, reconfigures them, and starts attempting to sell some male-enhancement formula via local streaming at all hours of the day.
There’s not a fix yet, but all Google really needs to do is require pressing the button on the Chromecast to go into setup mode after its first power on (as mentioned in the video in the first link above). That or not respond to the deauth packets if the WiFi connection is still up.
In the meantime, to ensure you’re not exposing your kids or your sensitive eyeballs to some random horrors of the internet, unplugging it when it’s not in use might be best.