Tool That Can Mass-Hijack Google Chromecast Was Uploaded to Github

You might not agree with this method, but the goal was to show people that they need to not leave their Google Chromecast devices connected to the Internet when not in use. The Crashcast tool was published on Github as a warning to Chromecast owners. It’s the same vulnerability that hackers used to take over Chromecast devices and broadcast a PewDiePie message.

Chromecast Vulnerability

This vulnerability was used earlier this week by the hacking pair Hacker Giraffe and j3ws3r. They used it to send a message supporting YouTuber Felix Kjellberg, aka PewDiePie. This message went out to many Chromecast devices.

These hackers were able to send their message out to Chromecast streaming devices that were left online and not logged out.

The hackers did this, Hacker Giraffe said, to show that thousands of Chromecast devices across the world are left in a vulnerable state. He pulled off something similar recently with Internet-connected printers.

news-chromecast-hijacked-unboxing

Public Reaction

The hacker said on Thursday that the negative reaction that he and his partner received after their prank on Chromecast devices has led them to give up hacking. They were having “all kinds of fears and panic attacks” worried that they would be caught and prosecuted.

“I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions,” Hacker Giraffe wrote on Pastebin.

Crashcast

But after the duo’s prank, the Crashcast tool that takes advantage of the same vulnerability was made accessible to everyone by security and freelance researcher Amir Khashayar Mohammadi. However, he claims that the tool is just a “proof-of-concept” to research further into this vulnerability. He isn’t intending for people to use it for nefarious reasons.

The tool doesn’t really do anything that malicious to Chromecast devices, as it doesn’t allow for remote code execution. Really all it can do is play YouTube videos on the devices.

“You’re not necessarily hacking anything here,” said Mohammadi, a Spuz.me website blogger. “All you’re doing is issuing a cURL command, which in this case tells the Chromecast to view a video.”

“There is no authentication or bypass; you’re actually doing what the Chromecast is intended to do, except the reason this works is because they’re all being exposed to the Internet,” he explained.

“I mean, honestly, why would anyone leave their Chromecast on the Internet? It makes no sense. You’re literally asking for it.”

news-chromecast-hijacked-device

Crashcast identifies all the accessible Chromecast devices with a search engine designed to locate Internet devices, Shodan, and uses Python in the process as well. The user then inputs a YouTube video ID, and that is then displayed on each Chromecast device.

Gizmodo notes that using Crashcast could be considered a computer crime, depending on the country.

“My code is for researchers looking for [proof of concepts] for vulnerabilities talked about but not actually observed properly,” explained Mohammadi. What people do with his tool is up to them. “I only write them. I don’t even use/test them – I just know how they work.”

Furthermore

After Mohammadi noticed that Hacker Giraffe disappeared, he wants to make sure no one blames him and instead blames “all those people who for no reason are exposing their Chromecasts, or printers, or cameras, whatever!”

He adds, “These same people are the reasons why people like me have to release these tools so they get up and change their router configurations. We have to force these people to do it. Much like updating, people don’t do it unless there is a need. These are the same people who give power to such tools in the first place! Blame them entirely.”

Google removed any of the blame from themselves, of course, as well: “This is not an issue with Chromecast specifically but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”

Do you have a Chromecast? Was it taken over by the hackers’ YouTube display? What do you think of the tool being published online? Let us know your thoughts on Chromecasts being mass-hijacked in the comments.

Image Credit: EricaJoy, TAKA@P.P.R.S, and Maurizio Pesce all via Wikimedia Commons

2 comments

  1. “Public Reaction”
    People, for the most part, don’t give a damn about security vulnerabilities. They just want their MTV (or, in this case, their Chromecast)

    “Crashcast
    ..Amir Khashayar… isn’t intending for people to use it for nefarious reasons”
    The way to hell is paved with good intentions. You know damn well that someone WILL weaponize Crashcast. Khashayar is either very naive or disingenuous.

    ““I mean, honestly, why would anyone leave their Chromecast on the Internet?”
    CONVENIENCE! Laziness. Ignorance. Take your pick.

  2. I would agree that this is a router issue, most likely due to inexperienced users changing settings without understanding the consequences. Typical scenario is kids changing settings to play the games with their peers. It’s similar to leaving front door open and complaining that someone is using your kitchen equipment. The difference here is that it’s far less obvious, this changes to router settings are best done by those who understand what they are doing.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.