Hackers have hijacked thousands of exposed Chromecast streaming devices to warn users of the latest security flaw to affect the device. But other security researchers say that the bug — if left unfixed — could be used for more disruptive attacks.
The culprits, known as Hacker Giraffe[1] and J3ws3r[2], have become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hackers hijacked forced the affected Chromecasts to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like themselves.
Not one to waste an opportunity, the hackers also asks that you subscribe to PewDiePie, an awful internet person[3] with a popular YouTube following. (He’s the same hacker who tricked thousands of exposed printers[4] into printing support for PewDiePie.)
The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited[5] in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.
As the two say[6], disabling UPnP should fix the problem.
“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google [7] spokesperson told TechCrunch. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable,”...