Two hackers have hijacked thousands of internet Chromecasts, smart TVs, and Google Home devices to help PewDiePie’s YouTube channel.
The hacker known as CastHack also known as TheHackerGiraffe explained on Twitter that his tool CastHack takes advantage of users who use incorrectly configured routers that have the UPnP service enabled.
Cybersecurity experts are saying that many connected media devices, including Google Chromecast, have a big flaw in their design which is the lack any meaningful authentication checks when handling user requests.
Trough time many concerns have been expressed about several media device vendors including Google but nothing has changed because these devices are made for home use and anyone on a home network should be trusted. Even if these devices should have some form of pairing process in which the end-user must prove that they are authorized to use the device, they also have a big flaw that overwrites this so-called security option.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
For example, Google Chromecast has a Guest mode where the user must enter a code from the screen to prove they are near it but it can be easily bypassed by a hacker that is already on the same network as the device.
The main problem here is the fact that LANs are actually private networks.
But in reality, there are a number of ways which can be used to gain unauthorized access into these “private” home networks. In this particular case, UPnP misconfigurations are abused to enslave web browsing and mobile apps which are exposed to the internal networks. Google Chromecast and Home, in particular, can be hijacked via DNS rebinding.
In this case, the actions of these hackers are unharming and funny but if some bad actors are willing to do damage, this is the proof that it can be done.
Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.