13:00 pm IST Update: Google responds, the statement is below.
Three hackers who go by the monikers—TheHackerGiraffe, j3ws3r and @friendlyh4xx0r—have taken control of thousands of Chromecast devices, Google Home smart speakers in addition to smart TVs in select global regions.
It has come to the light the hackers made use of security loophole dubbed as CastHack in the Chromecast and the router it connects with using Universal Plug and Play (UPnP), a networking protocol. With this, the hackers managed to hijack the aforementioned devices to play YouTube star PewDiePie's videos.
It can be noted that this bug is similar to the one, which was actually detected in Chromecast by Petro, a senior security analyst at the consultancy Bishop Fox in 2014, just a year after the former's debut. He made a remote using Raspberry Pi computer chip, two wireless cards, a touchscreen and all assembled in a 3D-printed plastic enclosure.
With the home-made gadget, he was able to send a 'Deauth' command to Chromecast to disconnect from the Wi-Fi network. When the Google Chromecast reboots, it gets in reconfiguration mode by turning itself into a Wi-Fi hotspot and waits for local computer or any nearby internet connected device for commands. Then the hacker can control the Chromecast thereby play any content on the TV. It was Petro's method to prank his friends, but nevertheless, this was a security hole, but for reasons unknown, Google chose to ignore, and now it has come back to haunt with a new name 'CastHack'.
However, CastHack also seems to be a prank by creators -- TheHackerGiraffe, j3ws3r and @friendlyh4xx0r—, and I believe them to be the ethical white hat hackers, who want to attract attention from Google to fix this loophole. They have hosted a webpage revealing number of Chromecasts, Google Home and smart TVs has been affected by the CastHack.
As per the latest numbers, it has affected more than 65,000 smart TVs with Chromecast, 1,500 Google Home smart speakers. They have also succeeded in playing videos on 6,700 TVs and even renamed the devices.
It would be great if Google finds a solution before cybercriminals develop more sinister version, which might affect Chromecast, Google Home speakers and smart TV owners financially.
International Business Times India Edition has contacted Google Chromecast representative for a response on CastHack issue.
Update:
"We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device. This is not an issue with Chromecast specifically but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable," Google spokesperson said to IBTimes India.
It looks like the Wi-Fi router is the culprit in this episode, not the Chromecast. We will be coming with a separate report on how to thwart hackers from taking over Chromecast.
