Two hackers responsible for hijacking tens of thousands of printers with messages of support for a popular YouTuber have launched a new campaign aimed at connected TVs.
At the time of writing over 72,000 devices had been targeted in the CastHack campaign designed to raise awareness about Chromecast-powered smart TVs which may be leaking sensitive information on devices and the smart home to the public internet.
Ethical hackers ‘HackerGiraffe’ and ‘j3ws3r’ were able to take advantage of routers with UPnP enabled to hijack smart TVs, forcing them to play a YouTube video in support of popular vlogger PewDiePie.
The duo warned in a separate notice that the publicly exposed routers were leaking information on Wi-Fi networks and devices which could allow attackers not only to remotely play media, but also “rename your device, factory reset or reboot the device, force it to forget all Wi-Fi networks, force it to pair to a new Bluetooth speaker/Wi-Fi point, and so on.”
They urged affected users to disable UPnP on the router and stop port forwarding to ports 8008, 8443, and 8009.
“We want to help you, and also our favorite YouTubers (mostly PewDiePie),” they added. “We're only trying to protect you and inform you of this before someone takes real advantage of it. Imagine the consequences of having access to the information above.”
The two rose to fame in November and December last year after they were able to hijack connected printers around the world, forcing them to print out a message in support of PewDiePie.
However, they claim not to be responsible for the defacement of a Wall Street Journal page last month which also seemed to be the work of PewDiePie fans.
Tripwire security researcher, Craig Young, argued that in the smart home, usability often trumps security, meaning systems like Google Chromecast lack meaningful authentication checks for user requests.
“A key problem here is the misconception that LANs are actually private networks. The reality is that there can be a number of ways for external attackers to gain unauthorized access into these ‘private’ home networks,” he added.
“In this case, the miscreants have abused routers with UPnP misconfigurations but web browsing and mobile apps can also expose internal networks. My research from this past summer showing how Google Chromecast and Home could be hijacked via DNS rebinding is a prime example of this.”
Young said he hoped the CastHack campaign serves as a wake-up call for vendors to “rethink their authentication models.”