Pranking ChromeCast Owners Is Too Easy

Some smart devices are easier to exploit than others. They don’t require a skilled hacker to compromise them; one with the right tools who knows where to look for weak spots will suffice. And security bugs in the world of Internet of Things have quite the shelf life.

Less advanced attackers often rely on ready-made utilities that allow them to simply point and click their way into hacking vulnerable devices; or they follow tutorials on how to achieve a particular goal and adapt them case by case. Some do it just to learn a few things while others aim to turn a profit, no matter how small.

If you own a Chromecast that is exposed online, it can be fed any YouTube video via a utility called CrashCast. The tool, developed by security researcher Amir Khashayar Mohammadi specifically for mass exploitation of Google’s streaming dongles, is intended as a proof-of-concept to show users in a non-damaging way that outside interference in the local network is possible with little effort.

CrashCast is not hacking anything (remember the prank from PewDiePie fans; instead, it abuses a feature used by ChromeCast devices to play videos on the TV set. Its capabilities are rather limited, but they can create a great deal of annoyance not just by feeding video but also by terminating apps and renaming the targeted dongles.

This is possible because ChromeCast is designed to work on the local network, which is considered a safe haven for some reason. All it takes to get the device to show content from Netflix, YouTube, Hulu or other services is to connect it to the local WiFi and supply it with video via a smartphone, tablet, or a computer with Chrome browser.

The mass exploitation component in CrashCast relies on the Shodan search engine, which replies to search queries with IP addresses for matching connected devices it finds online. The search can be general or product-specific.

The exploit tool uses this list of Chromecasts reachable over the internet as targets to play a video of the attacker’s choice. All there is to accomplishing this is to input a YouTube video ID. At the moment of writing, there were over 180,000 Chromecasts, most of them in South Korea.

If you wonder whether a hacker could do more than just create irritation by playing videos of their choice, the answer depends on if you have a smart assistant installed, like Alexa. If you do, the hacker could play a video with commands for the assistant.

To avoid such unpleasantness, make sure that local IoT devices do not communicate with the internet directly. Disabling the Universal Plug and Play (UPnP) communication in your router and not forwarding ports on your router help achieve this. A guide on how to keep your smart gadgets visible only locally is available here.

Image credit: Google