Hackers have hijacked thousands of disclosed Chromecast streaming machines to advise users of the most recent security flaw to affect the machine. But other security researchers say that the bug — if left unfixed — could be used for more disruptive attacks.
The culprits, known as Hacker Giraffe and J3ws 3r, has already become the most recent person to figure out how to trick Google’s media streamer into playing any YouTube video they crave — including videos that are custom-made. This time around, the hackers hijacked forced the affected Chromecasts to display a pop-up notice that’s viewable on the attached TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like themselves.
Not one to waste an opportunity, the hackers also asks that you subscribe to PewDiePie, an awful internet person with a popular YouTube following.( He’s the same hacker who tricked thousands of uncovered printers into publishing is supportive of PewDiePie .)
The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play( UPnP ), a networking criterion that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, building Chromecasts and other devices viewable and accessible from anywhere on the internet.
As the two say, incapacitating UPnP should secure the problem.
” We have received reports from consumers who have had an unauthorized video played on their Tvs via a Chromecast device ,” a Google spokesperson told TechCrunch.” This is not an issue with Chromecast specifically, but is rather the result of router specifies that construct smart machines, including Chromecast, publicly reachable ,” the spokesperson said.
That’s true on one hand, but it doesn’t address the underlying issue — that the Chromecast can be tricked into allowing an unauthenticated attacker the capacity required to hijack a media stream and showing whatever they want.
Bishop Fox, a security consultancy firm, first detected a hijack flaw in 2014 , not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” strike that disconnects the Chromecast from the Wi-Fi network it was connected to, inducing it to revert back to its out-of-the-box country, awaiting a machine to tell it where to connect and what to creek. That’s when it can be hijacked and forced to stream whatever the hijacker craves. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.
Two years later, U.K. cybersecurity firm Pen Test Collaborator discovered that the Chromecast was still vulnerable to ” deauth” onslaughts, inducing it easy to play content on a neighbor’s Chromecasts in just a few minutes.
Ken Munro, who founded Pen Test Partner, says there’s” no astound that somebody else stumbled on to it ,” devoted both Bishop Fix saw it in 2014 and his company tested it in 2016.
” In fairness, we never thought that the service “wouldve been” exposed on the public internet, so that is a very valid finding of his, full credit to him for that ,” Munro told TechCrunch.( Google said in a follow-up email that it’s working to fix the deauth glitch .)
He said the route the attack is conducted is different, but the methodology used of exploitation is the same. CastHack can be exploited via the internet, while Bishop Fox and his “deauth” attacks can be implemented within scope of the Wi-Fi network — yet, both attempts let the hacker control what’s displayed on the Tv from the Chromecast, he said.
Munro said Google should have secured its flaw in 2014 where reference is first had the chance.
” Allowing control over a local network without authentication is a really silly notion on[ Google’s] proportion ,” he said.” Because customers do silly things, like expose their TVs on the internet, and hackers find flaws in services that can be exploited .”
But Munro said that this form of attacks — although obnoxious and intrusive on the face of it — could be exploited to have far more malicious consequences.
In a blog post Wednesday, Munro said it was easy to exploit other smart home machines — like an Amazon Echo — by hijacking a Chromecast and forcing it to play commands the hell is loud enough to be picked up by its microphone. That’s happened before, when smart deputies get disorient when they overhear terms on the television or radio, and suddenly and without warning purchase items from Amazon.( You can and should turn on a PIN for ordering through Amazon .)
To name a few, Munro said it’s possible to force-out a Chromecast into loading a YouTube video created by an attacker to trick an Echo to:” Alexa, order an iPad ,” or,” Alexa, turn off the house alarm ,” or,” Alexa, defined an alarm every day at 3am .”
Amazon Echos and other smart machines are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest connect are humans. Second to that, it’s the other machines around smart home assistants that pose the most difficult hazard, said Munro in his blog post. That was demonstrated recently when Canadian security researcher Render Man showed how employing a sound transducer against a window can trick a nearby Amazon Echo into unlocking a network-connected smart lock on the front entrance of a house.
” Google needs to properly secured the Chromecast deauth bug that allows casting of YouTube traffic ,” said Munro.
Updated at 9pm ET: with a new, clearer headline to better reflect the flaws over the years, and added additional statement from Google . em>