Hackers have hijacked thousands of exposed Chromecast streaming devices to warn users of the latest security flaw to affect the device. But other security researchers say that the bug — if left unfixed — could be used for more disruptive attacks.
The culprits, known as Hacker Giraffe and J3ws3r, have become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hackers hijacked forced the affected Chromecasts to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like themselves.
Hacker Giraffe, the same pseudonymous person who forced thousands of exposed printers last year to churn out pages saying “Subscribe to PewDiePie,” has his set sight on smart devices to promote the Swedish YouTube star’s channel. Not that PewDiePie needs much help. He has the top-ranked channel.
The hacker said he’s a fan of PewDiePie and thought promoting his channel would be funny.
“Honestly, it’s just for the memes,” Hacker Giraffe said in a direct message to CNET. “I like PewDiePie, and so why not?”
A few hours after the hack went live, PewDiePie tweeted at Hacker Giraffe, and wrote, “doing gods work.”
Hacker Giraffe worked on the hack with a partner who goes by j3ws3r, who said the video was done “out of respect” for the community.
“We could have done anything,” the partner said. “Jumped the air gap and made the TV say, ‘hey Alexa, buy me 5,000 toilet rolls.”
Security researchers at Pen Test Partners found they could use the Chromecast exploit to play videos with voice commands to smart home devices like Amazon’s Alexa.
HackerGiraffe said their attacks are more about exposing vulnerabilities than promoting Kjellberg’s channel. “We want to help you, and also our favorite YouTubers (mostly PewDiePie),” their website reads. “We’re only trying to protect you and inform you of this [vulnerability] before someone takes real advantage of it.”
In December, The Wall Steet Journal’s website was also hacked to promote Kjellberg’s channel, but HackerGiraffe said they weren’t involved.
A Google spokesperson said, “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable”.
That’s true on one hand, but it doesn’t address the underlying issue — that the Chromecast can be tricked into allowing an unauthenticated attacker the ability to hijack a media stream and display whatever they want.