Security & Fraud

Hackers Exploit Google Chromecast Bug

gdpr-fine-dispute-google

Despite being warned years ago about a bug in its Chromecast media streaming stick, Google has yet to fix it and hackers are still taking advantage. According to reports, that “Hacker Giraffe” recently figured out how to use the bug — dubbed “CastHack” — to manipulate Chromecast into playing any YouTube video, eventually taking over thousands of Chromecasts to display a pop-up message on the connected TV, explaining to users that a misconfigured router has exposed the devices to hackers.

The bug exploits a weakness in Chromecast and the router it connects to, with some routers enabling Universal Plug and Play (UPnP). Hacker Giraffe revealed that disabling UPnP should fix the problem.

“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson said. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”

However, that doesn’t address the fact that the bug enables anyone with access to a Chromecast to take control of the media stream and display whatever they want. It’s a flaw that Bishop Fox, a security consultancy firm, discovered in 2014, revealing it could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network to which it was connected. Two years later, U.K. cybersecurity firm Pen Test Partners revealed that the Chromecast was still susceptible to “deauth” attacks.

Ken Munro, founder of Pen Test Partners, said it’s “no surprise that somebody else stumbled onto it.”

“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his  full credit to him for that,” Munro said.

In a follow-up email, Google said it’s working to fix the deauth bug.

——————————–

Latest Insights: 

The Payments 2022 Study: Building A High-Performance Payments Team For Fraud Detection, a PYMNTS collaboration with Stripe, examines how digital platforms of all sectors and sizes plan to develop their anti-fraud teams as part of their their broader growth and development strategies. Drawing from an extensive survey from approximately 250 payments heads at digital platforms in the U.S. and abroad, our study analyzes how poor anti-fraud capabilities can harm platforms’ long-term growth strategies, and how they can build high-performing teams to tackle these challenges.

TRENDING RIGHT NOW

To Top