A hacker duo claims to have hijacked thousands of internet-exposed Chromecasts, smart TVs, and Google Home devices to play a video urging users to subscribe to PewDiePie’s YouTube channel. The main hacker behind this hacking campaign –codenamed CastHack– is known online as TheHackerGiraffe. The hacker explained on Twitter that CastHack takes advantage of users who use incorrectly configured routers that have the UPnP (Universal Plug’n’Play) service enabled, service which forwards specific ports from the internal network on the Internet.
Commenting on the news is Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team:
“Many connected media devices, including Google Chromecast, have made the unfortunate design choice to lack any meaningful authentication checks when handling user requests.
I’ve expressed concerns about this model to several media device vendors including Google but the prevailing attitude seems to be that these devices are made for home use and that anyone on a home network should be trusted. Ideally, these devices should have some form of pairing process in which the end-user must prove that they are authorized to use the device. This proof can be as simple as pushing a button on the device or entering a passcode. Google Chromecast even has a Guest mode where the user must enter a code from the screen to prove they are near it but this was designed more as a usability feature than a security feature and can be easily bypassed by an attacker on the network.
A key problem here is the misconception that LANs are actually private networks. The reality is that there can be a number of ways for external attackers to gain unauthorized access into these “private” home networks. In this case, the miscreants have abused routers with UPnP misconfigurations but web browsing and mobile apps can also expose internal networks. My research from this past summer showing how Google Chromecast and Home could be hijacked via DNS rebinding is a prime example of this.
Although I do not condone the actions of these hackers, I do hope that this can serve as a wakeup call for vendors to rethink their authentication models.”