Home > News

Tool That Can Mass-Hijack Google Chromecast Was Uploaded to Github

By Laura Tucker
Tool That Can Mass-Hijack Google Chromecast Was Uploaded to Github Featured Image

You might not agree with this method, but the goal was to show people that they need to not leave their Google Chromecast devices connected to the Internet when not in use. The Crashcast tool was published on Github as a warning to Chromecast owners. It’s the same vulnerability that hackers used to take over Chromecast devices and broadcast a PewDiePie message.

Chromecast Vulnerability

This vulnerability was used earlier this week by the hacking pair Hacker Giraffe and j3ws3r. They used it to send a message supporting YouTuber Felix Kjellberg, aka PewDiePie. This message went out to many Chromecast devices.

These hackers were able to send their message out to Chromecast streaming devices that were left online and not logged out.

The hackers did this, Hacker Giraffe said, to show that thousands of Chromecast devices across the world are left in a vulnerable state. He pulled off something similar recently with Internet-connected printers.

news-chromecast-hijacked-unboxing

Public Reaction

The hacker said on Thursday that the negative reaction that he and his partner received after their prank on Chromecast devices has led them to give up hacking. They were having “all kinds of fears and panic attacks” worried that they would be caught and prosecuted.

“I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions,” Hacker Giraffe wrote on Pastebin.

Crashcast

But after the duo’s prank, the Crashcast tool that takes advantage of the same vulnerability was made accessible to everyone by security and freelance researcher Amir Khashayar Mohammadi. However, he claims that the tool is just a “proof-of-concept” to research further into this vulnerability. He isn’t intending for people to use it for nefarious reasons.

The tool doesn’t really do anything that malicious to Chromecast devices, as it doesn’t allow for remote code execution. Really all it can do is play YouTube videos on the devices.

“You’re not necessarily hacking anything here,” said Mohammadi, a Spuz.me website blogger. “All you’re doing is issuing a cURL command, which in this case tells the Chromecast to view a video.”

“There is no authentication or bypass; you’re actually doing what the Chromecast is intended to do, except the reason this works is because they’re all being exposed to the Internet,” he explained.

“I mean, honestly, why would anyone leave their Chromecast on the Internet? It makes no sense. You’re literally asking for it.”

news-chromecast-hijacked-device

Crashcast identifies all the accessible Chromecast devices with a search engine designed to locate Internet devices, Shodan, and uses Python in the process as well. The user then inputs a YouTube video ID, and that is then displayed on each Chromecast device.

Gizmodo notes that using Crashcast could be considered a computer crime, depending on the country.

“My code is for researchers looking for [proof of concepts] for vulnerabilities talked about but not actually observed properly,” explained Mohammadi. What people do with his tool is up to them. “I only write them. I don’t even use/test them – I just know how they work.”

Furthermore

After Mohammadi noticed that Hacker Giraffe disappeared, he wants to make sure no one blames him and instead blames “all those people who for no reason are exposing their Chromecasts, or printers, or cameras, whatever!”

He adds, “These same people are the reasons why people like me have to release these tools so they get up and change their router configurations. We have to force these people to do it. Much like updating, people don’t do it unless there is a need. These are the same people who give power to such tools in the first place! Blame them entirely.”

Google removed any of the blame from themselves, of course, as well: “This is not an issue with Chromecast specifically but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”

Do you have a Chromecast? Was it taken over by the hackers’ YouTube display? What do you think of the tool being published online? Let us know your thoughts on Chromecasts being mass-hijacked in the comments.

Image Credit: EricaJoy, TAKA@P.P.R.S, and Maurizio Pesce all via Wikimedia Commons

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Laura Tucker Avatar
Laura Tucker
Laura has spent more than 20 years writing news, reviews, and op-eds, with the majority of those years as an editor as well. She has exclusively used Apple products for the past 35 years. In addition to writing and editing at MTE, she also runs the site’s sponsored review program.

Read next

When the SS Great Eastern laid the first working transatlantic telegraph cable in 1866, a message that had taken ten days by steamship suddenly crossed the ocean in minutes, and the financial markets of London and New York were forced, within a single trading week, to invent the modern concept of synchronised global price.
From below of blue starry sky over radio telescope and trees with leaves
The Big Ear telescope was scanning at 1420.4056 megahertz on the night of 15 August 1977, the exact frequency at which hydrogen atoms vibrate across the universe, because Giuseppe Cocconi and Philip Morrison had argued years earlier that any species trying to be found would broadcast on that channel — and then, for 72 seconds, something did.
In 2016, archaeologists dated two rings of snapped stalagmites in France’s Bruniquel Cave to 176,500 years ago, evidence that Neanderthals had walked 336 metres into darkness with fire and built architecture deep underground long before modern humans reached Europe
Otto von Bismarck was 74 when Germany adopted the world’s first national old-age social insurance program in 1889, setting the pension age at 70 after years of fighting socialists with bans, laws, and a promise few workers would live long enough to use
When cosmonaut Valeri Polyakov stepped out of his Soyuz capsule in March 1995 after 437 consecutive days aboard Mir, doctors recorded him at several centimetres above his pre-flight height, and his spine had become so unaccustomed to gravity that the recovery team carried him to a chair rather than risk the compression of letting him walk.
When Bell Labs engineer Karl Jansky pointed a rotating antenna at the sky in 1932 looking for sources of transatlantic radio static, he kept picking up a faint hiss that peaked every 23 hours and 56 minutes, and he eventually realized he had become the first human to hear the center of the Milky Way.
A contemplative scene with two scientists in a vintage laboratory setting.
When Harvard astronomer Cecilia Payne submitted her 1925 doctoral thesis arguing that the Sun was made almost entirely of hydrogen, the field’s senior figure Henry Norris Russell talked her into adding a line calling the result ‘almost certainly not real,’ and then published the same conclusion himself four years later to widespread acclaim.
When seismic waves from the Chicxulub impact reached what is now North Dakota roughly ten minutes after the asteroid struck, they appear to have triggered a ten-metre standing wave in an inland river that flung fish onto the bank and buried them under glass beads still falling from the sky.