Thousands of exposed smart TVs, Chromecast streamers and Google home devices have been hacked due to a security flaw in both users’ Chromecasts and routers, according to a BBC report.
The hackers behind the recent attack are known as Hacker Giraffe and J3ws3r, the same pseudonymous persons that were responsible for hacking over 50,000 open printers, which forced users to print out a message in support of PewDiePie.
In a similar manner to the previous attacks, the hackers forced affected Chromecasts to display a pop-up that warns users their misconfigured router is exposing their Chromecast and smart TV.
Chromecast / smart TV exposed
The video message displayed on TVs reads: “Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!”
It then forces victims to visit a web address and asks them to “subscribe to PewDiePie”.
The bug, dubbed CastHack, makes use of the Universal Plug and Play (UPnP) functionality of some routers in order to gain remote access to devices connected to their network.
The Hacker Giraffe team said on their attack tracking website that they wanted to help educate and protect victims from open devices like this case.
In a letter posted online, Hacker Giraffe said: “I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions. I’m sorry if anything I’ve done has made you feel under attack or threatened.”
They even provided victims with advice on how to fix exploited devices. They advised users to deactivate the UPnP on their routers.
Google has released an official statement on the case, claiming that Chromecast is not to blame, but it’s rather the fault of the router.
Continuous automated security testing
Paul Farrington, director of EMEA and APJ at Veracode, commented on the case by saying that developers need to test and scan the security of their systems regularly to prevent a UPnP vulnerability being exploited by cybercriminals.
“The problem with the Chromecast device is that Google hasn’t really designed it to anticipate a hostile environment, such as one in which devices can be directly exposed to the Internet,” he said.
“In general, consumers haven’t been educated on how to make devices secure. Offering advice about disabling features is all well and good, but device manufacturers and probably Internet Service Providers (ISPs) could do more to help the public by providing secure configurations,” he added.
He goes on to explain that software engineers who are knowledgeable about cybersecurity need to think about offering proper advice to software users.
“Veracode’s recent State of Software Security Report (v.9) suggests that DevSecOps teams that embed continuous automated security testing into their routine will eliminate security defects 11.5 times faster than those which test infrequently. As such, upfront thinking about security, coupled with continuous security testing is really the only way to address the modern challenge of keeping consumers safe from hackers.”