Researcher Distributes Tool That Enables Mass-Hijacking Of Google Chromecast Devices

Researcher Distributes Tool That Enables Mass-Hijacking Of Google Chromecast Devices
Attendees walk by a poster with an image of the new Google Chromecast during a Google media event on September 29, 2015 in San Francisco, California. (Photo: Getty / Justin Sullivan)

A method a pair of hackers used this week to hijack thousands of Google Chromecast devices is, for those who hadn’t figured it out already, now plain as day.

Uploaded to Github on Thursday, a tool called Crashcast enables the almost instantaneous takeover all of Chromecast streaming devices left accessible online by mistake. This same misconfiguration issue was taken advantage of by the hacker duo Hacker Giraffe and j3ws3r earlier this week to broadcast a message in support of the YouTube star Felix Kjellberg, more widely known as PewDiePie, to thousands of Chromecast owners.

The prank was intended to draw attention, the hacker said, to the fact that thousands of Chromecast devices globally have been left exposed unnecessarily.

Hacker Giraffe, who not too long ago pulled a similar prank using internet-connected printers, said on Thursday that the backlash caused by the Chromecast high jinks led them to give up hacking. The fear of getting caught and prosecuted, the hacker wrote on Pastebin, was causing “all kinds of fears and panic attacks.”

“I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any hard, nor did I ever have any ill intentions,” they added.

But now a tool which accomplishes the same feat is accessible to virtually anyone, thanks to Amir Khashayar Mohammadi, a security and freelance researcher. Mohammadi tells Gizmodo, however, that the tool he’s released is merely a proof-of-concept uploaded to further research into the problem, and is not intended for people to use maliciously.

Crashcast shown preparing to broadcast a YouTube video to 176,642 Chromecast devices.

Luckily, the problem is a fairly benign one. The tool doesn’t allow for remote code execution, so forcing the device to play random YouTube videos is about all that can be accomplished. “You’re not necessarily hacking anything here,” Mohammadi says. “All you’re doing is issuing a cURL command which in this case tells the Chromecast to view a video.”

“There is no authentication or bypass, you’re actually doing what the Chromecast is intended to do, except the reason this works is because they’re all being exposed to the internet,” he continued, adding: “I mean honestly, why would anyone leave their Chromecast on the internet? It makes no sense. You’re literally asking for it.”

His tool works by works by first identifying all of the Chromecast devices that are publicly accessible, a feat accomplished thanks to Shodan, a search engine designed to locate internet devices as opposed to web pages. Along with a recent version of Python, the programming language, Crashcast requires access to Shodan’s API, which costs around $US60 ($86), though can be got for free apparently with a .edu email account.

Crashcast is able to quickly locate all of the Chromecast devices that are publicly accessible and visible to Shodan. (At time of writing, Shodan can detect 176,268 individual Chromecasts devices.) Once the search is complete, the user is asked to input a YouTube video ID. And that’s basically it. Whatever video is selected should immediately be displayed by each of the devices.

Number of Chromecast devices per country left publicly accessible, according to Shodan.

“I do this for one reason and one reason only,” Mohammadi says. “To raise awareness.”

Readers take note: Using the tool might be considered a computer crime in numerous countries, including the United States. “My code is for researchers looking for [proof of concepts] for vulnerabilities talked about but not actually observed properly,” he says, emphasising that what people end up doing with the tools is on them. “I only write them, i don’t even use/test them, I just know they work.”

Mohammadi also said that while he’s not very familiar with Hacker Giraffe, he has heard of their exploits (pun intended).

“His tool more than likely does exactly what mine does,” he said. “Yea and I just noticed he has disappeared. I have one thing to say to that, it’s not his fault. Blame all those people who for no reason are exposing their Chromecasts, or printers, or cameras, whatever!”

Mohammadi continued: “These same people are the reasons why people like me have to release these tools so they get up and change their router configurations. We have to force these people to do it. Much like updating, people don’t do it unless there is a need. These are the same people who give power to such tools in the first place! Blame them entirely.”

For any Chromecast owners out there being forced to watch terrible YouTube videos they’d rather just not, the fix is fairly simple, though it may be harder for someone who’s never fiddled with their router’s internal settings before. (Disable forwarding on ports 8008 and 8443 should do the trick.) If you’re not so savvy, you can try running a search for instructions on how to access your router via your browser.

Worst case scenario, you can always try calling your ISP and ask for assistance. I wouldn’t, however, bother trying Google.

While Google did not respond to Gizmodo’s request for comment, earlier this week, the company attempted to distance itself from any issues experienced by its customers, saying, “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”