Despite being warned years ago about a bug in its Chromecast media streaming stick, Google has yet to fix it and hackers are still taking advantage. According to reports, that “Hacker Giraffe” recently figured out how to use the bug — dubbed “CastHack” — to manipulate Chromecast into playing any YouTube video, eventually taking over thousands of Chromecasts to display a pop-up message on the connected TV, explaining to users that a misconfigured router has exposed the devices to hackers.
The bug exploits a weakness in Chromecast and the router it connects to, with some routers enabling Universal Plug and Play (UPnP). Hacker Giraffe revealed that disabling UPnP should fix the problem.
“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson said. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”
However, that doesn’t address the fact that the bug enables anyone with access to a Chromecast to take control of the media stream and display whatever they want. It’s a flaw that Bishop Fox, a security consultancy firm, discovered in 2014, revealing it could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network to which it was connected. Two years later, U.K. cybersecurity firm Pen Test Partners revealed that the Chromecast was still susceptible to “deauth” attacks.
Ken Munro, founder of Pen Test Partners, said it’s “no surprise that somebody else stumbled onto it.”
“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his — full credit to him for that,” Munro said.
In a follow-up email, Google said it’s working to fix the deauth bug.