A while ago two hackers by the name of HackerGiraffe and j3ws3r allegedly “hacked” a bunch of Google ChromeCasts to promote PewDiePie’s (Felix Kjellberg) YouTube Channel.

The “hack” was actually just abuse of poorly configured routers that port forwarded the ChromeCasts to the outside internet. From there, everyone with access to port 8008 of the Google ChromeCasts can send HTTP POST and GET commands to control the ChromeCast.

All this is documented functionality however one might wonder why Google has never implemented proper authentication in between a device and the ChromeCast.

What could go wrong?

Here is some of the functionality built in to the ChromeCast dongles that we can exploit using a cURL command:

  • Play a YouTube video of choice
  • Set the name of the device
  • Scan nearby WiFi access points
  • Reboot the device
  • Perform a factory reset
  • Get information about the device (Language, connected SSID, …)

The Commands

Here are some of the commands that can be used to play with the ChromeCast devices. Let’s start with scanning nearby WiFi access points. We’re piping the output to mjson.tool to make the output a little bit prettier. You can leave this out if you want.

curl http://{CHROMECAST_IP}:8008/setup/scan_results | python -mjson.tool

To change the device name of a ChromeCast you can use:

curl -X POST -H "Content-Type: application/json" -d '{"name": "{SOME_NAME}"}' http://{CHROMECAST_IP}:8008/setup/set_eureka_info -v

The ChromeCast Exploitation Kit

In order to shed a little bit more light on the situation (and for fun purposes), I have developed a tool to simplify this. This way you don’t even have to remember the URL’s and JSON.

Called the ChromeCast Exploitation Kit or CCEK for short, this simple Python script can be used to play with ChromeCast dongles from the command line. No authentication needed. For example you could say:

CCEK.py -t {CHROMECAST_IP} -a play -v dQw4w9WgXcQ

The script above would play Rick Astley’s Never Gonna Give You Up music video on the targeted ChromeCast, a classic!

How many are affected?

A quick search on Shodan.io reveals that a lot of ChromeCast have actually been exploited. Here you see a ChromeCast in Duffel, Belgium who had it’s name changed to HACKED_BY_@HACKERGIROX.

How can you protect yourself?

First of all I think there is no need to open up your ChromeCast to the internet. Log into your router and disable port forwarding to the device. If for some reason you need to have your ChromeCast open to the public, I recommend setting up an IP WhiteList on your Firewall.

Secondly I think Google could implement some form of authentication in their newer versions of the ChromeCast firmware. This way you can’t fumble with the device without permission, even if you are on the local network.

Sharing is caring!