Hackers are taking advantage of vulnerable Chromecast and Google Home devices to display messages on consumer TVs promoting well-known YouTube star PewDiePie.
Once hacked, the TVs display a message saying: “[Public Service Announcement] PewDiePie, the number #1 subscribed channel on YouTube is about to be overthrown by Indian music company T-Series. Please go on Youtube and subscribe to him ASAP.”
The Swedish-born comedian and video game commentator, whose real name is Felix Kjellberg, is currently going head-to-head with T-Series, an Indian music record label and film company, for the top YouTube spot. Both YouTubers’ channels have at least 73 million subscribers.
According to a website for the latest campaign, the duo targeted a router setting called Universal Plug and Play (UPnP), which is used to help smart devices easily connect to other devices on a private network – however, the feature can also publicly expose the devices’ internet ports if configured that way.
In a Tweet, one of the hackers, @j3ws3r, said on Thursday: “Our Chromecast and smart-TV hack is now complete… never leave a port open someone can mess with.”
Our chromecast and smart TV hack is now complete. Thank you and please, stay say, and most importantly: never leave a port open someone can mess with.https://t.co/H2WOHQNkE8
Thank you to my partner @HackerGiraffe
— Bob (@j3ws3r) January 3, 2019
According to the attack website, more than 4,000 TVs have been impacted by what the hackers are dubbing “CastHack” – however, that number has not been confirmed by Google.
According to the website describing the hack, users can stop the hack and secure their devices by disabling UPnP on the router.
“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told Threatpost. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”
A Series of Support Hacks
The hacking duo that took responsibility for the attack – known through their Twitter names, @HackerGiraffe and @j3ws3r – were also behind a security fiasco earlier in December where they commandeered 50,000 printers globally to print pamphlets promoting the star. Also, a separate hack later in December tricked another hundreds of thousands of printers to print the pamphlets.
These efforts have inspired other similar attacks, including the defacement of a web page owned by the Wall Street Journal in December.
However, the two denounce the WSJ attack via Twitter, saying that it took away from their purpose of highlighting insecure devices on the internet:”I don’t support defacement. Now @j3ws3r and I will be painted all across media as evil hackers that promoted kids to illegally hijack a media company’s website to promote @pewdiepie.”
Since launching the latest offensive against Chromecast devices, @HackerGiraffe has since appeared to have deleted his or her Twitter, but posted a PasteBin message saying: “I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any [harm], nor did I ever have any ill intentions.”
The attack has showcased the insecurity of Internet of Things (IoT) devices, with security expert Kevin Beaumont calling out the publicly exposed devices on Twitter: “Google have got to get better that this stuff, see also ADB being configurable w/o authentication. The people here are also renaming the Wifi networks as, yes, you can also do that remotely – stops the device owner easily stop the video playing.”
Google have got to get better that this stuff, see also ADB being configurable w/o authentication. The people here are also renaming the Wifi networks as, yes, you can also do that remotely – stops the device owner easily stop the video playing.
— Kevin Beaumont (I think) (@GossiTheDog) January 2, 2019
Meanwhile, Pen Test Partner’s Ken Munro said that hundreds of thousands of Chromecast devices remain public on Shodan.
Whilst Chromecast #casthack site is now down, this doesn't mean the bug is fixed.
Still >160,000 live Chromecasts public on @shodanhq
And >200,000 on https://t.co/uBMEizE54Z – these have precise location for local de-auth attack too…
— Ken Munro (@TheKenMunroShow) January 3, 2019
This story was updated on Jan. 3 at 1:30 p.m. to reflect comments from Google.