Hackers have taken control of Google Chromecast smart TV devices around the world in a stunt to raise awareness of cyber security and to promote YouTuber PewDiePie.
They claim to have gained access to more than 70,000 Google Chromecast devices – used to stream content on a TV – by taking advantage of an internet router setting that makes connected devices such as Chromecasts publicly viewable on the internet.
The hackers, who call themselves HackerGiraffe and j3ws3r, displayed a message on affected TV screens telling users their device had been taken over, warning them their WiFi information was at risk and broadcasting videos on the television.
On a website apparently set up to celebrate and track the success of the incident, the hackers say they carried out the attack to highlight router vulnerabilities.
“We want to help you, and also our favourite YouTubers (mostly PewDiePie). We’re only trying to protect you and inform you of this before someone takes real advantage of it. Imagine the consequences of having access to the information above,” the website said.
Google has confirmed it is aware of the issue and is offering guidance on how to handle the attack.
“We have received reports from users who have had an unauthorised video played on their TVs via a Chromecast device,” a company spokesman said.
“This is not an issue with Chromecast specifically, but is rather the result of router settings that make media devices, including Chromecast, publicly reachable on the internet.”
The technology giant said users could restrict the ability for unsolicited videos to be played on their devices by turning off a feature known as Universal Plug and Play (UPnP), which can be done through a router’s settings website.
The setting enables connected devices to easily discover each other and establish connections for data sharing over that network. HackerGiraffe and j3ws3r also encourage users to disable UPnP.
Last year the same hackers claimed responsibility for a similar attack which forced thousands of printers to print out messages supporting PewDiePie.
The YouTuber, whose real name is Felix Kjellberg, is the most subscribed-to individual on the video platform.
His status as the most popular channel on the site has come under threat from Indian music label and movie studio T-Series, which has led some fans to undertake public stunts to gain him more followers and keep his lead.
Commenting on the news, Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team said:
“Many connected media devices, including Google Chromecast, have made the unfortunate design choice to lack any meaningful authentication checks when handling user requests.
“I’ve expressed concerns about this model to several media device vendors including Google but the prevailing attitude seems to be that these devices are made for home use and that anyone on a home network should be trusted. Ideally, these devices should have some form of pairing process in which the end-user must prove that they are authorized to use the device.
“This proof can be as simple as pushing a button on the device or entering a passcode. Google Chromecast even has a Guest mode where the user must enter a code from the screen to prove they are near it but this was designed more as a usability feature than a security feature and can be easily bypassed by an attacker on the network.
“A key problem here is the misconception that LANs are actually private networks. The reality is that there can be a number of ways for external attackers to gain unauthorized access into these “private” home networks. In this case, the miscreants have abused routers with UPnP misconfigurations but web browsing and mobile apps can also expose internal networks.
“Although I do not condone the actions of these hackers, I do hope that this can serve as a wakeup call for vendors to rethink their authentication models.”