Hackers who reportedly commandeered thousands of Chromecast streaming devices on Monday used them to alert owners to a hole in their security, while also plugging their favorite YouTube star—perennial edgelord PewDiePie, a.k.a. Felix Kjellberg
TechCrunch reported Wednesday that the hackers, Hacker Giraffe and J3ws3r, had taken advantage of know issues with Universal Plug and Play (UPnP)—a local networking protocol with a problematic history—to hijack thousands of Chromecast. Later, however, multiple outside experts shed doubt on whether UPnP was even the issue. The cause of the divergent explanations was not immediately clear. (Simply disabling forwarding on port 8008 and 8443 in a router’s will apparently solve the problem for most users.)
The website reported:
Bishop Fox, a security consultancy firm, first found the bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.
Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbor’s Chromecasts in just a few minutes.
According to TechCrunch, Hacker Giraffe forced thousands of Chromecasts to play a video warning that “YOUR Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!” They also provide a URL for afflicted users instructing them to disable UPnP on their router and stop forwarding ports 8008, 8443, and 8009. (The URL has since been taken offline.)
The hackers also directed people to subscribe to PewDiePie, whom they had promote earlier this year by forcing tens of thousands of printers to spew out messages reading, “PewDiePie is in trouble and he needs your help to defeat T-Series!”
One possible way to abuse the Chromecast, TechCrunch noted, was to access other voice-controlled devices in the same room by uploading YouTube videos that recite commands.
The day after the reports prank went viral, Giraffe published an open letter saying they’d quit hacking due to panic attacks and anxiety aroused by their fear of getting caught. They also reference negative blowback from the stunt. “I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions,” they said.
In a statement to TechCrunch, Google acknowledged it had received reports of the video popping up on Chromecasts, but said: “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”
Correction: An earlier version of this article, including the headline, identified a Chromecast “exploit” involving Universal Plug and Play (UPnP). Initially, port-forwarding and a UPnP flaw were both thought to be the issues enabling the hackers’ prank, but security researchers have called into question whether UPnP was involved at all given that the problem can be fixed without disabling UPnP. The headline and the article have been updated throughout to reflect the new information. We regret the error.