A pair of hackers have taken aim at vulnerable Google Chromecast media streaming devices, sending unauthorized content and messages to unsuspecting users.
The attack, dubbed “CastHack,” identifies Google Chromecast devices that have been exposed to the public internet. The two attackers, who operate under the aliases of “HackerGiraffe” and “j3ws3r,” then abuse capabilities in Chromecast to post a message to victims asking them to subscribe to the channel of popular YouTube streamer PewDiePie. Chromecast is a USB device that enables streaming video for consumer TVs.
“If you came here because you’re a victim of #CastHack, then know that your Chromecast/SmartTV/GoogleHome is exposed to the public internet, and is leaking sensitive information related to your device and home,” the hackers wrote in an FAQ they posted about the attack.
According to HackerGiraffe and j3ws3r, the CastHack leak can enable a remote attacker to learn what WiFi network a vulnerable device is connected to, as well as what Bluetooth devices have been paired to the device. Additionally and perhaps more impactful to victims is the fact that CastHack can enable attackers to remotely play media on a vulnerable device without any authorization or additional action from the user. A remote attacker could also potentially force a Chromecast to pair with a different Bluetooth device or even rename and reset the entire device.
“Assuming the Chromecast/Google Home is the only problem you have, hackers CANNOT access other devices on the network or sniff information besides WiFi points and Bluetooth devices,” the CastHack hackers wrote. “They also don’t have access to your personal Google account, nor the Google Home’s microphone.”
CastHack takes advantage of several different misconfigurations.
At the top level is the simple fact that some users have left the Universal Plug and Play (UPnP) feature on their routers open. UPnP is intended to be a convenience feature that enables devices to be discovered, making it easier for them to be controlled and used. With UPnP, ports on a router are open to the public internet and a Chromecast device can easily be discovered. As of Jan. 3, the Shodan search site is able to discover approximately 180,000 Chromecasts that are publicly visible. Of those, the vast majority (99,000) are in South Korea and approximately 16,000 are in the United States.
CastHack is not the first time that hackers have taken aim at Chromecast devices. At the Black Hat USA 2014 conference, researchers from security firm BishopFox demonstrated the “Rickmote” controller that enabled them to stream singer Rick Astley’s “Never Going to Give You Up” in an attack known as Rickrolling against Chromecast devices.
How to Fix the Issue
There are multiple steps the users can take to limit the risk. The first, as suggested by the CastHack hackers themselves, is to disable UPnP on your router. There is also some evidence to suggest that Google engineers have also taken steps to help protect users, even if UPnP has been left open. To date, Google has not publicly commented on the CastHack attackers or their methods.
The CastHack hackers have stopped their activity and currently are not actively attacking devices. In a message posted on Pastebin on Jan. 3, The HackerGiraffe announced the cessation of activity.
“It may not look like it, but the constant pressure of being afraid of being caught and prosecuted has been keeping me up and giving me all kinds of fears and panic attacks,” The HackerGiraffe wrote. “I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions. I’m sorry if anything I’ve done has made you feel under attack or threatened.”
CastHack serves as yet another example of how connected devices can be exploited. No doubt many new connected devices, including Chromecasts, were received as holiday gifts, which is why US-CERT issued guidance on Dec. 28, 2018, to help users secure those devices.
US-CERT recommends that users:
- Use strong passwords
- Keep software updated and patched
- Evaluate security settings on devices to limit risk
Additionally, US-CERT advises that users connect carefully.
“Once your device is connected to the internet, it’s also connected to millions of other computers, which could allow attackers access to your device,” US-CERT advises. “Consider whether continuous connectivity to the internet is needed.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.