+32 50895535
info@brussec.com

Hacking ChromeCasts for fun

by Pablo Brusseel | January 11, 2019 | 0 Comments
Brussec Security, Tools
Hacking ChromeCasts for fun

A while ago two hackers by the name of HackerGiraffe and j3ws3r allegedly “hacked” a bunch of Google ChromeCasts to promote PewDiePie’s (Felix Kjellberg) YouTube Channel.

The “hack” was actually just abuse of poorly configured routers that port forwarded the ChromeCasts to the outside internet. From there, everyone with access to port 8008 of the Google ChromeCasts can send HTTP POST and GET commands to control the ChromeCast.

All this is documented functionality however one might wonder why Google has never implemented proper authentication in between a device and the ChromeCast.

What could go wrong?

Here is some of the functionality built in to the ChromeCast dongles that we can exploit using a cURL command:

  • Play a YouTube video of choice
  • Set the name of the device
  • Scan nearby WiFi access points
  • Reboot the device
  • Perform a factory reset
  • Get information about the device (Language, connected SSID, …)

The Commands

Here are some of the commands that can be used to play with the ChromeCast devices. Let’s start with scanning nearby WiFi access points. We’re piping the output to mjson.tool to make the output a little bit prettier. You can leave this out if you want.

curl http://{CHROMECAST_IP}:8008/setup/scan_results | python -mjson.tool

To change the device name of a ChromeCast you can use:

curl -X POST -H "Content-Type: application/json" -d '{"name": "{SOME_NAME}"}' http://{CHROMECAST_IP}:8008/setup/set_eureka_info -v

The ChromeCast Exploitation Kit

In order to shed a little bit more light on the situation (and for fun purposes), I have developed a tool to simplify this. This way you don’t even have to remember the URL’s and JSON.

Called the ChromeCast Exploitation Kit or CCEK for short, this simple Python script can be used to play with ChromeCast dongles from the command line. No authentication needed. For example you could say:

CCEK.py -t {CHROMECAST_IP} -a play -v dQw4w9WgXcQ

The script above would play Rick Astley’s Never Gonna Give You Up music video on the targeted ChromeCast, a classic!

Download CCEK on Github

How many are affected?

A quick search on Shodan.io reveals that a lot of ChromeCast have actually been exploited. Here you see a ChromeCast in Duffel, Belgium who had it’s name changed to HACKED_BY_@HACKERGIROX.

How can you protect yourself?

First of all I think there is no need to open up your ChromeCast to the internet. Log into your router and disable port forwarding to the device. If for some reason you need to have your ChromeCast open to the public, I recommend setting up an IP WhiteList on your Firewall.

Secondly I think Google could implement some form of authentication in their newer versions of the ChromeCast firmware. This way you can’t fumble with the device without permission, even if you are on the local network.

About Post Author

Pablo Brusseel

Pablo is the Founder and head researcher at Brussec Security. Being obsessed with cyber security for as long as he can remember, he now strives to make the internet a safer place.

See author's posts

Westeindestraat 121 bus 04-01,
9990 Maldegem,
Belgium
Phone – +32 50 89 55 35
Email – info@brussec.com
VAT – BE 0763.805.021
IBAN – BE54 7310 5102 4597

Give us a call

We’d like to give you the best information as possible. So if you have any questions about our service, feel free to contact us on the phone number above.

About Us

Brussec Security is a company that specializes in Penetration Testing services. In human language it means that we act like hackers in order to prevent them. We try to get into your system before the bad guys and we fix the security holes.

Read More

Newsletter

    Copyright © 2022 Brussec Security Group BV. All rights reserved.

    PGP Key