#CastHack: Thousands of Chromecast devices hijacked

Hackers professed to have hijacked thousands of internet exposed streaming devices such as Chromecast, smart TVs, and Google Home devices including Home Smart speakers, forcing users to play a video of PewDiePie's on YouTube channel. The hacker identified as monikers - TheHackerGiraffe, j3ws3r and @friendlyh4xx0r, are behind this campaign, known on Twitter as #CastHack.

Through a thread of tweets, the hacker announced that this campaign takes advantage of users of smart devices that use incorrectly configured routers that use the UPnP (Universal Plug’n’Play) service that forwards specific ports from an internal network. The ports are 8008, 8009 and 8443, which normally use devices such as smart TVs, Chromecast or Google Home to manage some of their functions. With this, the hackers managed to hijack the aforementioned devices to play YouTube star PewDiePie's videos.

It can be noted that this bug is similar to the one, which was actually detected in Chromecast by Petro, a senior security analyst at the consultancy firm Bishop Fox in 2014, just a year after the former's debut. He made a remote using Raspberry Pi computer chip, two wireless cards, a touchscreen, all assembled in a 3D-printed plastic enclosure.

With the home-made gadget, the hacker was able to send a 'Deauth' command to Chromecast to disconnect from the Wi-Fi network. When the Google Chromecast reboots, it gets in reconfiguration mode by turning itself into a Wi-Fi hotspot and waits for local computer or any nearby internet connected device for commands. Then the hacker can control the Chromecast thereby playing any content on the TV. It was Petro's method to prank his friends, but nevertheless, this was a security hole, but for reasons unknown, Google chose to ignore, and now it has come back to haunt with a new name ‘#CastHack'.

However, #CastHack also seems to be a prank by creators - TheHackerGiraffe, j3ws3r and @friendlyh4xx0r and it is believed that they might be the ethical white hat hackers, who want to attract attention from Google to fix this loophole. They have hosted a webpage revealing the number of Chromecasts, Google Home and smart TVs that have been affected by the #CastHack.

According to experts in cybersecurity, hackers are not exploiting any vulnerability present in any device, but are taking advantage of the flaws in the configuration of thousands of routers.

As per the latest numbers, it has affected more than 65,000 smart TVs with Chromecast, and 1,500 Google Home smart speakers. They have also succeeded in playing videos on 6,700 TVs and even renamed the devices.

As Gizmodo previously reported, “UPnP has a lengthy track record of being compromised by hackers, often by exposing devices to the internet that should only be visible locally." 

Akamai reported this summer that UPnP was being used by hackers to conceal traffic in an ‘organized and widespread abuse campaign.’ A recent attack using a UPnP vulnerability incorporated EternalBlue, a National Security Agency-developed exploit that leaked in 2017.

The HackerGiraffe also hinted earlier on Twitter that he is looking into expanding the scripts to add support for targeting Sonos devices as well.

Hacking and forcing Chromecast devices to play a desired video or audio is not a new thing. Such hacks have been known since at least 2013.

As per cybersecurity experts, it’s possible to force a Chromecast into loading a YouTube video created by an attacker to trick an Echo to: “Alexa, order an iPad,” or, “Alexa, turn off the house alarm,” or, “Alexa, set an alarm every day at 3am.”

Amazon Echo and other smart devices are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest link are humans. Second to that, it’s the other devices around smart home assistants that pose the biggest risk.

It would be great if Google finds a solution before cybercriminals develop more sinister versions, which might affect Chromecast, Google Home speakers and smart TV owners financially.