Hackers have discovered a bug that allows attackers to seize control of Google’s Chromecast media streaming player, making it possible to force the device into “playing any YouTube video they want—including videos that are custom-made,” TechCrunch reported on Wednesday.
The bug exploits one well-known vulnerability (routers that have Universal Plug and Play [UPnP] enabled by default, exposing devices on a network to the broader web) as well as an apparent flaw in Chromecast’s design that allows anyone able to access the device to “hijack the media stream and display whatever they want” without authentication, TechCrunch wrote. The site added the latter bug has been known for years after it was discovered by security researchers:
Bishop Fox, a security consultancy firm, first found the bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.
Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbour’s Chromecasts in just a few minutes.
According to TechCrunch, this vulnerability was discovered by the hacker known as Hacker Giraffe and used the technique to force thousands of Chromecasts to play a video warning that “YOUR Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!” Hacker Giraffe did provide a URL for afflicted users to learn more about the UPnP vulnerability, as well as quickly render it useless:
Disable UPnP on your router, and if you’re port forwarding ports 8008/8443/8009 then STOP forwarding them.
Hacker Giraffe also directed people to subscribe to Felix “PewDiePie” Kjellberg—a YouTube star and perennial edgelord. (The individual behind the pseudonym also took credit for hijacking tens of thousands of printers earlier this year to spew a message reading in part, “PewDiePie is in trouble and he needs your help to defeat T-Series!”)
TechCrunch noted that the exploit could be used to pull off a complicated series of attacks, such as playing voice commands loud enough to be overheard by a smart speaker and thus mess with any connected accounts or devices.
As Gizmodo previously reported, “UPnP has a lengthy track record of being compromised by hackers, often by exposing devices to the internet that should only be visible locally. [Content delivery network] Akamai reported this summer that UPnP was being used by hackers to conceal traffic in an ‘organised and widespread abuse campaign.’” A recent attack using a UPnP vulnerability incorporated EternalBlue, a National Security Agency-developed exploit that leaked in 2017.
In a statement to TechCrunch, Google acknowledged it had received reports of the video popping up on Chromecasts, but claimed: “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”