A method for hackers spent this week hijacking thousands of Google Chromecast devices is for those who hadn't figured it out already, now that day.
Uploaded to Github on Thursday, a tool called Crashcast, allows almost instantaneous takeover of all Chromecast streaming devices that are again available online by mistake. This same error configuration problem was exploited by the hacker duo Hacker Giraffe and j3ws3r earlier this week to broadcast a message to support YouTube star Felix Kjellberg, more known as PewDiePie, to thousands of Chromecast owners.
The prank was meant to draw attention, the hacker says, the fact that thousands of Chromecast units globally have been left out unnecessarily.
Hacker Giraffe, who did not long ago draw a similar prank with internet-connected printers, said Thursday that Backlash caused by Chromecast's high jokes led them to give up hacking. The fear of being caught and persecuted, the hacker wrote on Pastebin, caused "all sorts of fears and panic attacks."
"I just wanted to inform people about their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, and I've never had any ill intentions," they added.
But now a tool that achieves the same achievement is available to almost everyone, thanks to Amir Khashayar Mohammadi, a security and freelance researcher. Mohammadi, however, tells Gizmodo that the tool he is released is merely a proof of the concept that has been uploaded to investigate the problem and is not intended for people to use the malicious.
Fortunately, the problem is quite favorable. The tool does not allow remote code execution, so forcing the device to play random YouTube videos is all that can be achieved. "You don't necessarily need to hacking anything here," says Mohammadi, who blogs and publishes papers on the Spuz.me website. "Everything you do issues a cURL command, which in this case tells Chromecast to display a video."
"There is no authentication or bypass, you actually do what Chromecast is supposed to do, except the reason it works is because they are all exposed to the internet, he continued and added:" I mean honestly why Would anyone leave their Chromecast on the internet? It makes no sense. You literally ask for it. "
His tool works by first identifying all the publicly available Chromecast devices, a performance achieved thanks to Shodan. search engine designed to find internet devices as opposed to web sites. Along with a recent version of Python, the programming language, Crashcast requires access to the Shodan API, which costs around $ 60, although apparently it can open for free with a .edu email account.
Crashcast can quickly find all of the publicly available Chromecast devices visible to Shodan. (When writing, Shodan can detect 176 268 individual Chromecasts.) When the search is complete, the user is prompted to enter a YouTube video ID. And that's really it. Whichever video is selected, it should be immediately displayed by each of the devices. (Note: Gizmodo hasn't actually tested Crashcast because we don't like surprise visits from the Fed.)
"I do this for a reason and just a reason," Mohammadi said. "Raising awareness."
Readers notice: Use of the tool can be considered a computer crime in many countries, including the United States. "My code is for scientists looking for [proof of concepts] for vulnerabilities talked about but not actually observed properly," he said, emphasizing that the people who end up with the tools are on them. "I'm just writing them, I'm not using / test them, I just know they work. "
Mohammadi also said that while he is not very familiar with Hacker Giraffe, he has heard of their exploits (pun).
" His tools do more than likely accurately what my doing, "he said." Yes, and I noticed that he has disappeared. I have one thing to say to it, it's not his fault. Blame all those people who, for no reason, are exposed to Chromecasts, or printers or cameras, anyway! "
Mohammadi continued:" These same people are the reasons why people like me have to release the tools to get up and change their router configurations. We must force these people to do so. Like updating, people do not do it unless needed. These are the same people who give power to such tools in the first place! Blame them completely. "
For all Chromecast owners who are forced to watch terrible YouTube videos, they will not just be, the fix is quite simple, although it may be harder for someone who has never fallen into the router's internal settings (Disable forwarding on ports 8008 and 8443 should do the trick.) If you're not so knowledgeable, try running a search for instructions on how to access the router through your browser.
Worst case you can always Try calling your ISP and requesting help, however, I would not bother trying Google
While Google did not respond to Gizmodo's request for comments earlier this week, the company tried to refrain from problems experienced by its customers, : "This is not a problem with Chromecast in particular, but rather is the result of router settings that make smart devices, including Chromecast, available to the public. "