As Chromecast outage drags on, fix could be days to weeks away

Updated Older models of google’s Chromecast media-streaming sticks remain broken, and independent research suggests a fix could take potentially weeks to materialize.

Second-generation Chromecast and Chromecast Audio devices stopped working on March 9.

google hasn’t said what went wrong, but an expired device authentication certificate authority is a likely cause. More on that later.

The internet goliath has not said when the problem will be fixed, either, but did share an alert advising users not to perform a factory reset as that won't help.

The Silicon Valley giant also emailed owners of the devices a mea culpa.

"We’re contacting you because of the disruption affecting Chromecast (2nd gen) and Chromecast Audio devices," reads the message forwarded by numerous Register readers.

"We apologize for the issue and understand your frustration. We are working to roll out a fix as soon as possible and will share updates and guidance on the Nest Community page. We appreciate your patience as we resolve this issue."

Despite our repeated requests for details about the outage, google told The Register only that it is "aware of an issue" and pointed to the status page for updates.

A fix could take weeks

One knowledgeable chap believes he has identified the problem and concluded that fixing it won't be easy. We reckon he's on the money.

Tom Hebb, a former Meta software engineer and Chromecast hacker, has published a detailed analysis of the issue and suggests a fix could take more than a month to prepare. He's also provided workarounds here for folks to try in the meantime.

We spoke to Hebb, and he says the problem is this expired device authentication certificate authority.

Chromecasts are basically media players that you plug into equipment, such as a loudspeaker or TV. Apps and such things can connect to your Chromecast and send it, among other data, a URL to fetch media from and output by itself, when you want to play something.

Briefly put, Chromecast devices each contain a cryptographic public-private key pair, installed at the factory and together form a certificate, that can create a digital signature that proves the gadget is a legit google-made device. That means it's not a knock-off and can be trusted by whatever app and service you're using it with – such as an official google app – to play some media.

When we say this proves the gadget is legit, we mean the factory-installed certificate used to create the signature proof is itself digitally signed by a google-owned intermediate certificate authority that chains up to a google-owned root authority. This allows applications and services, including google's official apps, to cryptographically verify that the device they're talking to was made by google: Software can walk back from the signature proof to the web giant.

The affected devices' intermediate authority's 10-year validity expired on March 9, 2025, which means it cannot be used by today's apps to complete this cryptographic process. Software analyzing the chain of trust will reject the whole thing as broken, due to the expired intermediate authority, and that's why folks are seeing error messages about their Chromecast being an "untrusted" device, resulting in the thing being rendered useless.

• google begs owners of crippled Chromecasts not to hit factory reset
• googlers asked if they'd like to bury themselves next to Stadia, Chromecast, DropCam
• All y'all love AI, right? get ready for gemini in Nest cameras, google Assistant
• It's google's hardware launch day, and what do we get? A few Pixel phones, Nest kit, and another Chromecast

Note that applications don't have to perform the authenticity check; google's apps will, and fail, but unofficial clients, such as VLC, are happy to continue working with the gadgets, we're told.

The fix is not simple. It's either going to involve a bit of a hack with updated client apps to accept or workaround the situation, or somehow someone will need to replace all the key pairs shipped with the devices with ones that use a new valid certificate authority. And getting the new keys onto devices will be a pain as, for instance, some have been factory reset and can't be initialized by a google application because the bundled cert is untrusted, meaning the client software needs to be updated anyway.

given that the product family has been discontinued, teams will need to be pulled together to address this blunder. And it does appear to be a blunder rather than planned or remotely triggered obsolescence; earlier Chromecasts have a longer certificate validity, of 20 years rather than 10.

"google will either need to put in over a month of effort to build and test a new Chromecast update to renew the expired certificates, or they will have to coordinate internally between what's left of the Chromecast team, the Android team, the Chrome team, the google Home team, and iOS app developers to push out new releases, which almost always take several days to build and test," Hebb explained.

"I expect them to do the latter. A server-side fix is not possible."

So either a week or so to rush out app-side updates to tackle the problem, or much longer to fix the problem with replaced certs.

Polish security researcher Maciej Mensfeld also believes the outage is most likely due to an expired device authentication certificate authority. He’s proposed a workaround that has helped some users, at least.

Hebb, meanwhile, warns more certificate authority expiry pain is looming, with the Chromecast Ultra and google Home running out in March next year, and the google Home Mini in January 2027. ®

Updated to add

good news: Roughly four days after the cert SNAFU kicked off, google says it's ready to gradually roll out an update for Chromecasts to get them working again as usual.