Old Chromecast bug comes back to haunt Google, as hackers hijack Home speakers, smart TVs

Google Chromecast 2018 series costs $35, same as the predecessor.Google Blog (screen-shot)
Google Chromecast 2018 series costs $35, same as the predecessor. Google Blog screen-shot

Three hackers who go by the monikers—TheHackerGiraffe, j3ws3r and @friendlyh4xx0r—have taken control of thousands of Chromecast devices, Google Home smart speakers in addition to smart TVs in select global regions.

It has come to the light the hackers made use of security loophole dubbed as CastHack in the Chromecast and the router it connects with using Universal Plug and Play (UPnP), a networking protocol. With this, the hackers managed to hijack the aforementioned devices to play YouTube star PewDiePie's videos.

It can be noted that this bug is similar to the one, which was actually detected in Chromecast by Petro, a senior security analyst at the consultancy Bishop Fox in 2014, just a year after the former's debut. He made a remote using Raspberry Pi computer chip, two wireless cards, a touchscreen and all assembled in a 3D-printed plastic enclosure.

With the home-made gadget, he was able to send a 'Deauth' command to Chromecast to disconnect from the Wi-Fi network. When the Google Chromecast reboots, it gets in reconfiguration mode by turning itself into a Wi-Fi hotspot and waits for local computer or any nearby internet connected device for commands. Then the hacker can control the Chromecast thereby play any content on the TV. It was Petro's method to prank his friends, but nevertheless, this was a security hole, but for reasons unknown, Google chose to ignore, and now it has come back to haunt with a new name 'CastHack'.

As per the latest numbers, it has affected more than 65,000 smart TVs with ChromecastCastHack webpage (screen-grab)
As per the latest numbers, it has affected more than 65,000 smart TVs with Chromecast CastHack webpage screen-grab

However, CastHack also seems to be a prank by creators -- TheHackerGiraffe, j3ws3r and @friendlyh4xx0r—, and I believe them to be the ethical white hat hackers, who want to attract attention from Google to fix this loophole. They have hosted a webpage revealing number of Chromecasts, Google Home and smart TVs has been affected by the CastHack.

As per the latest numbers, it has affected more than 65,000 smart TVs with Chromecast, 1,500 Google Home smart speakers. They have also succeeded in playing videos on 6,700 TVs and even renamed the devices.

It would be great if Google finds a solution before cybercriminals develop more sinister version, which might affect Chromecast, Google Home speakers and smart TV owners financially.

International Business Times India Edition has contacted Google Chromecast representative for a response on CastHack issue.