Wireless security scare

I was watching TV on Roku connected to a wireless network* when I got a notification that a Samsung device was trying to cast to my TV. I don’t own a Samsung device. 4 Options were to allow it or block it, and once or permanently. I blocked it. How concerned should I be?

As soon as possible, I went to my PC and checked the connected devices via router. Nothing unusual. Then I changed my wireless password. Anything else I should do? Wireless is secured with WPA2/AES but otherwise my wireless security knowledge might be a few years out of date.

My phone is a non-Samsung Android, and the kid was on an iPad at the time. Unless one of us hit a button and the Roku mis-identified the source, I don’t know where it might be coming from. Other devices were a Windows 7 PC and Macbook, both sleeping or off at the time.

*It was during the South Park episode “HumancentiPad,” somewhat ironically about automatically accepting prompts without reading them first, as well as getting screwed by technology.

There’s nothing to worry about. Someone did accidentally (or deliberately) try to cast a video to your Roku, but since you didn’t allow it, nothing happened.

Screen casting (Miracast) is a connection directly between the casting device (the Samsung in your case) and the Roku. Your router and network are not involved at all. The perpetrator (let’s call him) did not need your wifi password to attempt the cast. Even if you had allowed him to cast, all that would have happened is his video would have played on your TV. He couldn’t have seen any other devices on your network.

If you don’t use Miracast yourself, you can disable the feature to ensure that this doesn’t happen again. Go to Settings -> System -> Screen mirroring -> Mode -> Never allow.

This article explains this feature: https://support.roku.com/article/208754928-how-to-use-screen-mirroring-with-your-android-or-windows-device

I would be a little concerned because of this:

So presumably a neighbor was on your wi-fi network and did this by accident. It was good that you changed your wireless password. Was it a very weak password previously? Are you in an apartment building with a lot of neighbors?

You could consider getting a newer, more secure router if you are concerned.

Hm, I’m not sure what that page is intending to say, but it’s not true that the casting device and receiving device need to be on the same network. I’ll ask around Roku tomorrow and see if anyone knows why that statement is there.

You can easily verify this – just unplug your router and try to cast to your Roku. It will display a warning but will still connect. The modem is not involved.

Do you work for Roku?

Yes, and in fact I wrote the first version of the Miracast software for Roku. (It’s evolved a lot since I last worked on it though.)

OK, I’ll defer to your knowledge. I guess in apartment buildings screencasting attempts to someone else’s TV must happen all the time if there is no requirement to be on the same network.

It had numbers and “special” characters, and more importantly about 20 characters. It wasn’t completely random though, just obscure. But any brute forcing would have to be very lucky.

Smallish condo, 7 immediate neighbors, maybe another 8 who might detect my wireless.

Thanks for the insider input. How does it work though, how would I “accidentally” do this to a neighbor? Do none of my neighbors own a Roku or Miracast device? The only casting I am aware of is the icon on my phone in Youtube, which only detects my Roku, and Plex, which requires you to establish a specific pairing on both devices.

The “casting” that’s done by Youtube and Netflix is a completely different technology, called DIAL. In that case, the phone basically just sends a URL to the Roku, and the Roku then goes to the Youtube website and plays the video from there. That’s very different from Miracast, where the phone creates a video stream of its screen and sends the stream directly to the Roku. When you fire up Miracast on your phone (which is not available on all phones, and is accessed differently on different phones – on my Galaxy S6 it’s called “Smart View”), you will see a list of Miracast sinks (receivers) that the phone can detect. This list will include all the sinks that are within range, not necessarily only those on your network. You should at least see your Roku, and if any neighbors have Miracast sinks, you’ll see them too.

BTW, one reason Miracast is a peer-to-peer connection between the devices rather than going through the router like a “normal” connection is the latency involved. When people cast their phone, they want the TV to show what’s on the phone NOW, not what it was showing 1 or 2 seconds ago. You would not believe how difficult it is to achieve acceptable latency even with a p2p connection, and adding the latency of all packets going to the router and then to the sink, competing with other traffic going through the router, would make acceptable latency nearly impossible.

Looking at the How to use Smart View section on this page: Support Home | Official Samsung Support US

Item #1 says: “Connect your mobile/PC and TV to the same network.”

Thanks for the info, it took some hunting on my phone to find the feature. I only found 1 device, presumably my Roku (will try later). I disconnected the phone from wifi and still found it, so I guess it indeed can look beyond wireless servers.

The real requirement is that both devices are on the same wifi channel. I guess they figure it’s too hard to communicate that to consumers, so they just say they should be on the same network, which ensures they’re on the same channel.

I found this thread which confirms you can screencast to your neighbor’s Roku: https://forums.roku.com/viewtopic.php?f=28&t=76609 I think markn+ posts as RokuMarkn in the thread.

So the good news is, your wi-fi network is definitely not compromised. However, I am still surprised this “feature” was implemented in this way.

I think you’re right. My neighbours kids have cast to my Roku 3 a couple of times and the first time it happened, I went straight to the router administration to check if they were on my network (they were not)

You should look at changing the channel on which your wifi operates.

Why is that? It’s already the least populated channel.