A new hacking campaign has hijacked thousands of exposed Chromecasts, Smart TVs, and Google Home devices in order to stream a YouTube video promoting PewDiePie's YouTube channel, urging the users to subscribe to the channel and fix their devices.
In the initial campaign, The HackerGiraffe hacked thousands of printers in order to print a message promoting PewDiePie’s youtube channel, urging users to subscribe to the channel.
A new hacking campaign
In this new hacking campaign, TheHackerGiraffe has teamed up with another hacker j3ws3r and have borrowed the Chromecast attack code from FriendlyH4xx0r. This Chromecast attack code uses Google Home device API in order to connect to the device.
TheHackerGiraffe explained on Twitter that this hacking campaign dubbed as CastHack exploits users who use incorrectly configured routers that have the Universal Plug ‘n’ Play (UPnP) service enabled. The UPnP service forwards specific ports on the internet from the internal network.
Exploiting incorrect device configuration
The incorrectly configured UPnP settings allowed FriendlyH4xxor to set a script that scans for all devices with the exposed ports. Once the devices are detected, another script renames the devices to ‘HACKED_SUB2PEWDS_#’ and then attempts to stream the video.
TheHackerGiraffe told BleepingComputer that they were able to retrieve approximately 123,000 vulnerable devices using Shodan, with 100,000 being actually accessible. The hacking team also created a site at https[:]//casthack[.]thehackergiraffe[.]com/ that provide real-time information on the attack and a running count of successfully attacked devices.
The specific ports used by Chromecasts, Google Home devices, and smart TV’s are 8008, 8009, 8443. When TheHackerGiraffe began the attack, they were able to stream video on 2000 devices while targeting TCP ports 8008/8443, but soon everything stopped working, even on their local devices. This made the attackers suspect that Google had released a APIhotfix which disrupted their attack from working. The attackers then switched to 8009 port to exploit Google’s own cast protocol.
“A few minutes after my attack started. I got around 2k devices before the endpoints stopped responding at all. The data harvesting endpoints still responded. And factory reset/reboots were still possible. Renaming also was still possible,” TheHackerGiraffe told BleepingComputer.
Whats the motive behind the hacks?
BleepingComputer asked TheHackerGiraffe as to why they are performing this attack, to which, TheHackerGiraffe replied that they were doing this to raise awareness, gain experience, and to have some fun.
“My motivation is to just raise awareness while having a bit of developer fun. I build scripts and websites. Get hands on experience with high traffic, but also raise awareness for this. This shouldn't be exposed at all”, TheHackerGiraffe said.
In order to prevent such attacks, the UPnP should be disabled in the user’s router, TheHackerGiraffe recommended.