Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    CastHack Exposes Google Chromecast Device Users to Risk

    By
    SEAN MICHAEL KERNER
    -
    January 3, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Google Chromecast

      A pair of hackers have taken aim at vulnerable Google Chromecast media streaming devices, sending unauthorized content and messages to unsuspecting users.

      The attack, dubbed “CastHack,” identifies Google Chromecast devices that have been exposed to the public internet. The two attackers, who operate under the aliases of “HackerGiraffe” and “j3ws3r,” then abuse capabilities in Chromecast to post a message to victims asking them to subscribe to the channel of popular YouTube streamer PewDiePie. Chromecast is a USB device that enables streaming video for consumer TVs.

      “If you came here because you’re a victim of #CastHack, then know that your Chromecast/SmartTV/GoogleHome is exposed to the public internet, and is leaking sensitive information related to your device and home,” the hackers wrote in an FAQ they posted about the attack. 

      According to HackerGiraffe and j3ws3r, the CastHack leak can enable a remote attacker to learn what WiFi network a vulnerable device is connected to, as well as what Bluetooth devices have been paired to the device. Additionally and perhaps more impactful to victims is the fact that CastHack can enable attackers to remotely play media on a vulnerable device without any authorization or additional action from the user. A remote attacker could also potentially force a Chromecast to pair with a different Bluetooth device or even rename and reset the entire device.

      “Assuming the Chromecast/Google Home is the only problem you have, hackers CANNOT access other devices on the network or sniff information besides WiFi points and Bluetooth devices,” the CastHack hackers wrote. “They also don’t have access to your personal Google account, nor the Google Home’s microphone.”

      How CastHack Works

      CastHack takes advantage of several different misconfigurations.

      At the top level is the simple fact that some users have left the Universal Plug and Play (UPnP) feature on their routers open. UPnP is intended to be a convenience feature that enables devices to be discovered, making it easier for them to be controlled and used. With UPnP, ports on a router are open to the public internet and a Chromecast device can easily be discovered. As of Jan. 3, the Shodan search site is able to discover approximately 180,000 Chromecasts that are publicly visible. Of those, the vast majority (99,000) are in South Korea and approximately 16,000 are in the United States.

      CastHack is not the first time that hackers have taken aim at Chromecast devices. At the Black Hat USA 2014 conference, researchers from security firm BishopFox demonstrated the “Rickmote” controller that enabled them to stream singer Rick Astley’s “Never Going to Give You Up” in an attack known as Rickrolling against Chromecast devices. 

      How to Fix the Issue

      There are multiple steps the users can take to limit the risk. The first, as suggested by the CastHack hackers themselves, is to disable UPnP on your router. There is also some evidence to suggest that Google engineers have also taken steps to help protect users, even if UPnP has been left open. To date, Google has not publicly commented on the CastHack attackers or their methods.

      The CastHack hackers have stopped their activity and currently are not actively attacking devices. In a message posted on Pastebin on Jan. 3, The HackerGiraffe announced the cessation of activity.

      “It may not look like it, but the constant pressure of being afraid of being caught and prosecuted has been keeping me up and giving me all kinds of fears and panic attacks,” The HackerGiraffe wrote. “I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions. I’m sorry if anything I’ve done has made you feel under attack or threatened.”

      Securing IoT

      CastHack serves as yet another example of how connected devices can be exploited. No doubt many new connected devices, including Chromecasts, were received as holiday gifts, which is why US-CERT issued guidance on Dec. 28, 2018, to help users secure those devices.

      US-CERT recommends that users:

      • Use strong passwords
      • Keep software updated and patched
      • Evaluate security settings on devices to limit risk

      Additionally, US-CERT advises that users connect carefully.

      “Once your device is connected to the internet, it’s also connected to millions of other computers, which could allow attackers access to your device,” US-CERT advises. “Consider whether continuous connectivity to the internet is needed.” 

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×