Google Chromecast hijack: “Universal plug and Play has been problematic for years” say security experts

A hacker has remotely gained access to the TVs and smart devices of a whopping 70,000 Google Chromecast users.

In the hack, a pop-up was displayed that both warns of the exploit and links to a page listing the current number of those affected devices.

The message also promotes controversial YouTube personality PewDiePie – a move the infamous Hacker Giraffe has previously made by hijacking connected printers and getting them to print support for the YouTuber.

“We have received reports from users who have had an unauthorised video played on their TVs via a Chromecast device,” a Google spokesperson told TechCrunch.

“This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”

While this latest hack is indeed made possible via a security flaw in a users’ router, the exploit related to the Chromecast is one that has been known since the device first launched.

Paul Farrington, director of EMEA and APJ at Veracode, has warned that developers need to test and scan the security of their systems regularly to prevent a Universal Plug and Play (UPnP) vulnerability being exploited by cyber criminals:

“UPnP has been problematic for years," said Farrington. “The protocols exist to make interconnectivity of devices simpler for users. The idea behind UPnP is nice, but in the context of a hostile attack landscape, exposes internal networks to risk. Some devices and software applications will rely on UPnP, but the majority won’t.

“Really, the advice for the home user is to turn off UPnP on their Internet router. The problem with the Chromecast device is that Google hasn’t really designed it to anticipate a hostile environment, such as one in which devices can be directly exposed to the Internet.

“In general, consumers haven’t been educated on how to make devices secure. Offering advice about disabling features is all well and good, but device manufacturers and probably Internet Service Providers (ISPs) could do more to help the public by providing secure configurations,” advised Farrington.

“Before network and software engineers create products, they really need to think about the adversary. Asking the question, ‘how would the attacker benefit from this design feature’ should be a constant question that is asked within development teams.”

Like this content? Sign up for the free PCR Daily Digest email service to get the latest tech news straight to your inbox. You can also follow PCR on Twitter and Facebook.

The PCR Awards 2019 take place on 6th March at The Brewery, London. Buy your tickets here.

Check Also

PCR Awards 2023 winners revealed

In a dazzling ceremony held last night, the highly anticipated PCR Awards 2023 unfolded, recognising …