Gadgets for humans

Hackers take over Chromecasts to warn owners about security risks

Just be happy they didn't choose to play YouTube Rewind 2018 instead

PewDiePie Chromecast

A couple of dutiful hackers have been hijacking thousands of Google‘s Chromecast streaming dongles to warn users that the devices can be taken over, and remotely forced to play any YouTube video the attackers’ choose, reports TechCrunch.

The CastHack bug exploits a weakness in the Universal Plug and Play (UPnP) networking standard in some routers, which makes some connected devices – like Chromecasts – accessible on the internet.

The hackers exploited a UPnP bug in routers to display this message on Chromecast-equipped screens
Credit: TechCrunch
The hackers exploited a UPnP bug in routers to display this message on Chromecast-equipped screens

The two hackers, who go by the monikers Hacker Giraffe and J3ws3r, took the opportunity to display a message warning users about the security flaw. They also encouraged people to subscribe to YouTuber PewDiePie, and even rickrolled them with a link displayed on screen.

If any of that sounds remotely familiar, it’s because Hacker Giraffe is the punter behind last month’s hijacking of some 50,000 printers worldwide, that saw the devices spit out a message encouraging owners to subscribe to PewDiePie’s channel so that he could retain his position as the platform’s largest channel by audience (ahead of Indian music label T-Series).

Google told TechCrunch that the issue isn’t really a Chromecast flaw, but rather one that affects routers. In addition, the bug can be tackled by disabling UPnP on your router. Still, it’s worrying to learn that an attacker could hijack your Netflix binge anytime they pleased.

It’s not the first time Google‘s streaming dongle has been compromised. Bugs that allowed remote hijacking were discovered in Chromecasts back in 2014 (shortly after it debuted) and in 2016. Given that these devices are used by adults and children alike, Google would do well to further secure them and prevent unauthorized access – even if it’s not exactly the company’s fault.

Published January 3, 2019 — 07:31 UTC