Researcher Distributes Tool That Enables Mass-Hijacking of Google Chromecast Devices

Uploaded to Github on Thursday, a tool called Crashcast enables the almost instantaneous takeover all of Chromecast streaming devices left accessible online by mistake. This same misconfiguration issue was taken advantage of by the hacker duo Hacker Giraffe and j3ws3r earlier this week to broadcast a message in support of the YouTube star Felix Kjellberg, more widely known as PewDiePie, to thousands of Chromecast owners.

The prank was intended to draw attention, the hacker said, to the fact that thousands of Chromecast devices globally have been left exposed unnecessarily.

Hacker Giraffe, who not too long ago pulled a similar prank using internet-connected printers, said on Thursday that the backlash caused by the Chromecast high jinks led them to give up hacking. The fear of getting caught and prosecuted, the hacker wrote on Pastebin, was causing “all kinds of fears and panic attacks.”

“I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions,” they added.

But now a tool which accomplishes the same feat is accessible to virtually anyone, thanks to Amir Khashayar Mohammadi, a security and freelance researcher. Mohammadi tells Gizmodo, however, that the tool he’s released is merely a proof-of-concept uploaded to further research into the problem, and is not intended for people to use maliciously.

Crashcast shown preparing to broadcast a YouTube video to 176,642 Chromecast devices.

Luckily, the problem is a fairly benign one. The tool doesn’t allow for remote code execution, so forcing the device to play random YouTube videos is about all that can be accomplished. “You’re not necessarily hacking anything here,” says Mohammadi, who blogs and publishes papers on the website Spuz.me. “All you’re doing is issuing a cURL command which in this case tells the Chromecast to view a video.”

“There is no authentication or bypass, you’re actually doing what the Chromecast is intended to do, except the reason this works is because they’re all being exposed to the internet,” he continued, adding: “I mean honestly, why would anyone leave their Chromecast on the internet? It makes no sense. You’re literally asking for it.”

Source: Researcher Distributes Tool That Enables Mass-Hijacking of Google Chromecast Devices