Google Chromecasts are interesting little things. Tiny hockey puck-like dongles that enable you to hook up your TVs and stereos to your home Wi-Fi network. This means you can hook them up to your mobile devices, which means you can have the movies or music on your phone playing on your big TV or blasting out your big speakers. They don’t grab the headlines like smart speakers do, but they have proven rather popular and there will be lots of us who received a Chromecast over the holidays.
Just like any device that connect to the internet, Chromecasts are vulnerable to being compromised by malware. As it is important for us to know about all of the vulnerabilities that affect us, a move by hackers known as Hacker, Giraffe, and J3ws3r could be seen as public service. Although others might not see it that way.
Hackers have hijacked thousands of Google Chromecasts to highlight security vulnerabilities
According to a report by TechCrunch, the three hackers figured out how to make Google Chromecasts play any YouTube video they want. They even found a way to play custom-made videos, too. Of course, upon discovering the vulnerability, they immediately exploited it to make sure that users knew about the flaw in their online security efforts.
Thousands of Chromecast owners were shown a pop-up that warned them of their weakness. The message (shown below) highlighted the users’ misconfigured routers as the culprits and warned that other hackers would also be able to exploit the weakness and break in, too. They also asked users to subscribe to and follow YouTube personality PewDiePie’s channels.
Google responded to the hack by saying the problem lay elsewhere and was not in the Chromecasts themselves. Speaking to TechCrunch, a Google Spokesperson said, “We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device… This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”
The bug, known as CastHack, isn’t a new one and has been plaguing these types of devices since 2014. Whereas Google is right in saying that the vulnerability lays outside of its product, it is also true that hackers can use Google products to gain a foothold in users’ homes. With the problem going back four years, Google really should have fixed the bug by now.
Although the idea of playing videos on a screen might not seem like a huge problem on its own, the rapid expansion of the smart home industry, centered around smart speakers, opens up some chilling possibilities. If a hacked Chromecast can be made to say things like, “Turn off the house alarm” or to “Buy something from Amazon,” then all of a sudden, this problem can hit you in the wallet or even put your physical safety in jeopardy.