A security consultancy firm going by the name Bishop Fox informed Google of a UPnP bug in 2014 that has affected Chromecast devices and could allow hackers to play any YouTube video they want. Five years have passed, and the bug persists.
Now two goodwill hackers have taken the matter into their own hands and have hacked thousands of vulnerable Chromecast devices to remind Google about the same. Hackers named Hacker Giraffe and J3ws3r have exploited the bug and forced the affected devices to display a pop-up notice that can be viewed on the connected TV.
The popup warns the users about the misconfigured router and how it is allowing hackers to play whatever they want on their smart TV via the connected Chromecast.
To demonstrate the bug named CastHack, hackers requested users to subscribe to PewDiePie, a famous YouTuber by displaying a popup on the smart TV.
CastHack exploits a vulnerability that affects both Chromecast and the router. Here, the UPnP networking standard, which is enabled in many routers by default, is the real culprit.
As reported by Techcrunch: “UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.”
The two hackers have said that disabling the UPnP standard could stop hackers from exploiting the vulnerability.
Google told Techcrunch, “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”
However, this is partially true as Google could still fix the issue in the Chromecast that allows anyone to stream YouTube videos — even custom-made videos on the connected smart TVs.