Hackers Hijack Chromecast Devices and Smart TVs via Exposed UPnP

A pair of hackers has launched a campaign that displays rogue messages on people’s smart TVs encouraging them to subscribe to a popular YouTube channel.

The attack doesn’t seem to be malicious and is part of a larger campaign to promote PewDiePie, the YouTube channel with the largest number of subscribers that was recently in danger of being dethroned. Some weeks ago supporters started remote printing messages on internet-exposed printers and now it seems that they’ve switched to TVs.

The attack takes advantage of ports 8008, 8443, 8009 which are used by Chromecast devices, Google Home and some smart TVs for management on internal networks. These management APIs don’t generally require authentication, but as long as they’re only available on LANs, the risk is not that great.

The problem is that many home routers have broken Universal Plug and Play (UPnP) implementations and this feature, which is typically used for service discovery and automated configuration, can automatically expose those ports to the internet. This means hackers can then send commands directly to users’ TVs or attached Chromecast devices.

The new attack, dubbed CastHack, was created by two hackers who use the Twitter handles HackerGiraffe and j3ws3r. In addition to promoting PewDiePie, the message they streamed to people’s TVs directed users to a page that informed them about the problem and advised them to disable UPnP.

The page also tells users that hackers can “remotely play media on your device, rename your device, factory reset or reboot the device, force it to forget all wifi networks, force it to pair to a new bluetooth speaker/wifi point, and so on.” Also, attackers can read information about the devices, such as the name of the Wi-Fi network the device is connected to, what Bluetooth devices it’s paired with, what alarms are set and more.

The CastHack code has been released on GitHub, so other attackers can now hijack exposed devices, potentially for malicious reasons such as displaying scareware/ransomware notes or other types of scams.

Also, the risk posed by insecure UPnP implementations is much greater than rogue messages on people’s TVs. In November, researchers from Akamai warned that hackers are exploiting UPnP in routers to attack LAN computers over SMB. The same technique, called UPnProxy, was used in the past to proxy malicious traffic through people’s routers.

According to Akamai, there are an estimated 3.5 million devices that expose their UPnP endpoints to the internet and 277,000 of them are vulnerable to UPnProxy attacks.

USB Type-C Devices Get Authentication

The USB Implementers Forum (USB-IF), the maintainers of the USB protocol specifications, have taken a step forward to prevent rogue and malicious devices.

The organization has launched the USB Type-C Authentication Program, which will allow host systems to verify the authenticity of connected USB devices, cables or chargers by using 128-bit cryptography.

The organization has partnered with certificate authority DigiCert to maintain the public-key infrastructure (PKI) for the program.

“USB-IF is excited to launch the USB Type-C Authentication Program, providing OEMs with the flexibility to implement a security framework that best fits their specific product requirements,” said USB-IF President and COO Jeff Ravencraft. “As the USB Type-C ecosystem continues to grow, companies can further provide the security that consumers have come to expect from certified USB devices.”

Over the years, security researchers have demonstrated multiple ways in which USB devices can be misused and even ways in which the firmware of legitimate USB devices can be rewritten to perform malicious tasks.

In 2014, researchers from Berlin-based SR Labs presented an attack called BadUSB that allows hackers to infect PCs via poisoned thumb drives in an undetectable way and then have those PCs infect additional thumb drives in a worm-like manner.

Other researchers manufactured USB devices that can deliver dangerous electric charges to a computer’s USB ports to fry its controller or motherboard. There are even commercial USB thumb drives such as the Rubber Ducky that inject malicious keystrokes by mimicking a keyboard.

Users and companies have few defenses against such attacks and they typically involve disabling the computer’s USB ports through OS policies. This is where USB Type-C Authentication can provide an alternative by configuring the system to only allow for authenticated USB devices to be connected.

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin