Hackers Hijack Chromecasts, Promote PewDiePie and Expose Unpatched Bug

Hackers HackerGiraffe and j3ws3r have struck again. The famed pair has managed to take over Chromecasts and force television sets to show messages urging people to subscribe to the YouTube channel of popular Swedish YouTuber Felix Kjellberg, also known PewDiePie.

Famed?

HackerGiraffe and j3ws3r had achieved notoriety following their infamous global printer hack when printers around the world were made to print out sheets of paper asking people to subscribe to PewDiePie’s channel.

The hack, which has been dubbed CastHack, exploited a vulnerability found in routers that makes connected devices, such as the Chromecast and Google Home, discoverable. The hackers then move on to take control of the Chromecast to be able to broadcast videos on the connected television set.

Why?

YouTuber PewDiePie, who has long held the crown of most subscribed to channel on the video-sharing website, has been engaged in a YouTube popularity contest with another channel, T-Series, which had been threatening his position.

It is obvious that HackerGiraffe and j3ws3r are fans of PewDiePie, but the purpose behind the hijacking was to alert users and Google of the vulnerability according to them. Their website, which displays the number of exposed devices – 72,341 at the time of writing of this article, states: “We want to help you, and also our favorite YouTubers (mostly PewDiePie).” “We’re only trying to protect you and inform you of this [vulnerability] before someone takes real advantage of it.”

Speaking to technology news and media network The Verge, Google said that it was aware of the issue but that it was the problem lied in the settings of the routers. Adding that the best course of action to solve the issue would be to turn off Universal Plug and Play (UPnP) on the router.

What Can Go Wrong

The hacker said that information can leak through this vulnerability, including what WIFI your Chromecast or Google Home is connected to, the Bluetooth devices it has paired to, how long it’s been on, what WiFi networks your device remembers, and what alarms you have set.

Their website also listed the potential outfall of the flaw. Namely, it said that attackers could remotely play media on a breached device, rename that device, factory reset or reboot it, force it to forget all wifi networks, force it to pair to a new Bluetooth speaker or wifi point, and so on.

On the other hand, it said that, “assuming the Chromecast/Google Home is the only problem you have, hackers CANNOT access other devices on the network or sniff information besides WIFI points and Bluetooth devices. They also don’t have access to your personal Google account, nor the Google Home’s microphone. They do have access to the noise level in the room though :)”