Yeah, reading the followup to that post, I think they just created a new intermediate with the same key as the old one & pushed this to chromecasts. I didn’t know this was a thing you could do. Learn something new every day 😁.

I’ve seen enterprise network equipment with this same issue, but the manufacturer instead forced owners to manually renew device certificates. Their device authentication is now broken because the certificate private keys were poorly protected in transit.

I’m wondering now why they didn’t just use this key rewrap trick

If the problem is an expired device certificate then this was a very quick turnaround.

All shipped chromecast receiver devices have the device cert private key safely locked behind a TPM. Sending new certificates across the network without carefully planning things gives us a chance to intercept them & use them in our own receiver software which could e.g. download streams from Netflix/ Disney etc.