GoogleAssistant - HomeChromecast

Chromecast hack? Nope, looks like shitty routers.

As mentioned earlier, security people I’m following and talking to have mostly dismissed that Chromecast + UPnP was to blame for yesterday’s “Chromecast hack” as Chromecast/Home/etc don’t really use UPnP for anything useful.

TL;DR – UPnP isn’t blameless, but Google may be.

Chromecast 2

One issue is that Chromecasts (just going to call all affected devices Chromecast for this article,) are consumer products and once you’re in-network you’re not really dealing with a secure device. NAT and WiFi are your security.

From inside your network I can rename, cast, reboot, make a Home device talk, etc. This is by design. This only works if you’re in the person’s network. There’s a list of what you can make a Chromecast do. I don’t have it at 12:30am. Sorry.

That’s what it appears actually happened. Hackers got in your network through cheap router exploits. The Chromecast / smart TV / speakers / etc were just there as a display device. The hackers previously did about the same thing and printed out documents detailing how people’s printers were open and accessible because of router shittiness.

This time they renamed the Chromecasts, initiated a video stream, blamed Google, promoted that YouTube dude, and moved on.

The issue here is they were in the affected people’s network. They blamed Chromecast and your smart TV as opposed to blaming your craptastic router (or perhaps they did, web page detailing the thing is down at the moment, so all I can see is the images and Verge article blaming Google,) they just rolled up into and exploited a bad UPnP daemon, hopped into the network, found the cast devices, renamed, started a video stream, and bam.

UPnP isn’t supposed to let the outside world barge in unannounced. This is where the crappy part of crappy routers come into play. Update that router’s firmware yet? Do you think many of the hacked people would ever have? Change the default admin password?

On the Verge article there’s a quote from the hackers that CastHack was meant to remind Google of security flaws.

It appears the flaws are you’re putting a pretty open device behind something someone picked up at Walmart for $29 and is using as a router.

Disabling UPnP did the trick on some routers, on some changing the default admin password would be required, on some a hammer might need applied, you get the drill.

But yes, I’m up past midnight posting that this doesn’t appear to have been a Google hack, more like cheapest router hack.

OK, so I love to source stuff, it’s midnight, I’ve got a cold, I’m going to thank some people in various forums, IRC, and post some twitter links and hit bed.

Two Twitter quotes (SwiftOnSecurity,) that sum up everything above:

So yeah,

Cromecast Hack 2
Source: The Verge

Going by The Verge’s picture above, and what I’ve read, the Chromecast/Smart TV are indeed exposed (because router is garbage) and most likely the TV and Chromecast are not exposing any information about you, your router yes.

Pocketables does not accept targeted advertising, phony guest posts, paid reviews, etc. Help us keep this way with support on Patreon!
Become a patron at Patreon!

Paul E King

Paul King started with GoodAndEVO in 2011, which merged with Pocketables, and as of 2018 he's evidently the owner. He lives in Nashville, works at a film production company, is married with two kids. Facebook | Twitter | Donate | More posts by Paul | Subscribe to Paul's posts

Avatar of Paul E King

2 thoughts on “Chromecast hack? Nope, looks like shitty routers.

  • Avatar of LockeCJ

    The reality for most people(in the US, anyway) is that they use the router that was provided by their ISP. Since most people don’t bother changing anything about their routers, I’ve seen many cases where the default admin password is actually randomly generated and not some shared default value. You ISP is still probably going with the cheapest hardware they can source, and likely spending a minimal amount of time securing them. Since most people don’t have many (or any) choices in which ISP they choose, and since even those that can choose don’t have any way of evaluating whether one ISP or another is security focused, the average consumer really has no way of mitigating the situation. They could buy different hardware in some cases, but without hiring someone who knows what they’re doing, they’re just trading one set of problems for another.

    Reply
    • There’s a list of which routers were affected, I’ll post it when I get home, looks like mostly consumer grade from what I see (IE people trying to save a buck picked up a router cheap and never updated it)

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *