Hackers have discovered an error that allows attackers to take control of Google's Chromecast Media Streaming player, which makes it possible to force the device to play a YouTube video they want ̵
The error exploits a well-known vulnerability (routers that have Universal Plug and Play [UPnP] enabled by default, expose devices to a wider web network) and an apparent error in Chromecast's design allows anyone who has access to the device to "hijack the media stream and show what they want" without authentication, wrote TechCrunch. The site added to the latter error has been known for many years since it was discovered by security researchers:  Bishop Fox, a security consulting firm, first found the error in 2014, not long after Chromecast's debut, researchers found that they could perform a "deauth" attack disconnecting from Chromecast one from the Wi-Fi network it was connected to, and caused it to return to its out-of-the-box state, waiting for a device to tell you where to connect and what to stream. That's when it can be hijacked and forced to stream whatever the captain wants. All of this can be done at a glance – as they did – with a touch of a custom-built handheld remote.
Two years later, British cyber security company Pen Test Partners discovered that Chromecast was still vulnerable to "deauth" attacks, making it easy to play content on the neighbor's Chromecasts in just a few minutes.
According to TechCrunch, this vulnerability was discovered by the hacker known as Hacker Giraffe, and used the technique of forcing thousands of Chromecasts to play a video that "Your Chromecast / Smart TV is exposed to the public Internet and exudes sensitive information about you!" Hacker Giraffe provided a URL for damaged users to learn more about the UPnP vulnerability, as well as quickly rendering it useless:
Disable UPnP on your router and if you are port forwarding ports 8008/8443/8009 And then, continue to forward them.
Hacke r Giraffe also directed people to subscribe to Felix "PewDiePie" Kjellberg – a YouTube star and multi-year edgelord. (The person behind the pseudonym also took the credit to hijack tens of thousands of printers earlier this year to track a message that reads in part, "PewDiePie is in trouble and he needs help to defeat the T series!")
TechCrunch noted that The exploitation could be used to pull off a complicated series of attacks, such as playing voice commands high enough to be overheard by a smart speaker, thus messing with any connected accounts or devices.
As Gizmodo previously reported, UPnP has a long overview of being compromised by hackers, often by exposing devices on the Internet to be only visible locally. [Content delivery network] This summer, Akamai reported that UPnP was being used by hackers to hide traffic in an "organized and widespread abuse campaign." "A recent attack with a UPnP vulnerability incorporated EternalBlue, a National Security Agency developed exploit that leaked in 2017.
Google confirmed in a statement to TechCrunch that it had received reports on the video that came up on Chromecasts, but claimed:" This is not a problem with Chromecast, but rather is the result of router settings that make smart devices, including Chromecast, publicly available. "