You might not agree with this method, but the goal was to show people that they need to not leave their Google Chromecast devices connected to the Internet when not in use. The Crashcast tool was published on Github as a warning to Chromecast owners. It’s the same vulnerability that hackers used to take over Chromecast devices and broadcast a PewDiePie message.
This vulnerability was used earlier this week by the hacking pair Hacker Giraffe and j3ws3r. They used it to send a message supporting YouTuber Felix Kjellberg, aka PewDiePie. This message went out to many Chromecast devices.
These hackers were able to send their message out to Chromecast streaming devices that were left online and not logged out.
The hackers did this, Hacker Giraffe said, to show that thousands of Chromecast devices across the world are left in a vulnerable state. He pulled off something similar recently with Internet-connected printers.
The hacker said on Thursday that the negative reaction that he and his partner received after their prank on Chromecast devices has led them to give up hacking. They were having “all kinds of fears and panic attacks” worried that they would be caught and prosecuted.
“I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions,” Hacker Giraffe wrote on Pastebin.
But after the duo’s prank, the Crashcast tool that takes advantage of the same vulnerability was made accessible to everyone by security and freelance researcher Amir Khashayar Mohammadi. However, he claims that the tool is just a “proof-of-concept” to research further into this vulnerability. He isn’t intending for people to use it for nefarious reasons.
The tool doesn’t really do anything that malicious to Chromecast devices, as it doesn’t allow for remote code execution. Really all it can do is play YouTube videos on the devices.
“You’re not necessarily hacking anything here,” said Mohammadi, a Spuz.me website blogger. “All you’re doing is issuing a cURL command, which in this case tells the Chromecast to view a video.”
“There is no authentication or bypass; you’re actually doing what the Chromecast is intended to do, except the reason this works is because they’re all being exposed to the Internet,” he explained.
“I mean, honestly, why would anyone leave their Chromecast on the Internet? It makes no sense. You’re literally asking for it.”
Crashcast identifies all the accessible Chromecast devices with a search engine designed to locate Internet devices, Shodan, and uses Python in the process as well. The user then inputs a YouTube video ID, and that is then displayed on each Chromecast device.
Gizmodo notes that using Crashcast could be considered a computer crime, depending on the country.
“My code is for researchers looking for [proof of concepts] for vulnerabilities talked about but not actually observed properly,” explained Mohammadi. What people do with his tool is up to them. “I only write them. I don’t even use/test them – I just know how they work.”
After Mohammadi noticed that Hacker Giraffe disappeared, he wants to make sure no one blames him and instead blames “all those people who for no reason are exposing their Chromecasts, or printers, or cameras, whatever!”
He adds, “These same people are the reasons why people like me have to release these tools so they get up and change their router configurations. We have to force these people to do it. Much like updating, people don’t do it unless there is a need. These are the same people who give power to such tools in the first place! Blame them entirely.”
Google removed any of the blame from themselves, of course, as well: “This is not an issue with Chromecast specifically but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”
Do you have a Chromecast? Was it taken over by the hackers’ YouTube display? What do you think of the tool being published online? Let us know your thoughts on Chromecasts being mass-hijacked in the comments.