A bug which is known as CastHack makes Chromecast vulnerable, and it appears that Google is not planning to do anything about it, despite the fact that it is aware about the issue for years. There is a weakness in both Chromecast and the router which can be exploited. This applies to routers who have enabled Universal Plug and Play (UPnP), a networking standard.
Exploiting the bug
In order to prove that the bug makes Google’s media streamer vulnerable, hackers managed to hijack thousands of Chromecast devices. The responsible ones are J3ws3r and Hacker Giraffe. They managed to make a pop-up notice show up on the TV, which was used to warn the user about the vulnerabilities of the streaming device.
A Google spokesperson did offer a statement:
We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device. This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.
While this suggestion might help, it isn’t a real solution and ignores the main problem here: Chromecast can be hijacked. The bug was first discovered by Bishop Fox back in 2014, and two years later Pen Test Partners found out that the streaming device is still vulnerable. It appears that things haven’t changed since.
“Allowing control over a local network without authentication is a really silly idea on [Google’s] part. Because users do silly things, like expose their TVs on the internet, and hackers find bugs in services that can be exploited,” explained Ken Munro, who founded Pen Test Partners.
While this was not a malicious attack, this vulnerability could be used by attackers for their own gain, which makes it risky.
Laura Modin has lived in Las Cruces her whole life. Laura has worked as a journalist for nearly a decade having contributed to several large publications including the Yahoo News and The The Santa Fe New Mexican. As a journalist for News Lair, Laura covers national and international developments.