DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Hackers Exploit Known Google Chromecast Vulnerability in Thousands of Devices

Hackers Exploit Known Google Chromecast Vulnerability in Thousands of Devices

A Google Chromecast vulnerability from five years ago has evolved.

Laura Paine user avatar by
Laura Paine
·
Jan. 04, 19 · News
Like (1)
Save
Tweet
Share
6.41K Views

Join the DZone community and get the full member experience.

Join For Free

Starting the New Year off with a bang, Hacker Giraffe and J3ws3r reportedly exploited a vulnerability in thousands of Google Chromecast streaming devices. The CastHack bug, allegedly disclosed nearly five years ago, enabled the hackers to remotely access thousands of the streaming devices, causing them to show a pop-up notice on connected TVs alerting users that their misconfigured router is leaving them vulnerable to more disruptive attacks. While they were at it, they also asked those reading the notice to subscribe to PewDiePie’s YouTube channel.

In 2014, Bishop Fox figures out that it could access and control a Chromecast device by disconnecting it from its existing Wi-Fi network in a deauth attack and reverting it to its factory state. Then, attackers needed to be within the range of the Wi-Fi network to gain access, but the attack method has since evolved. Some home routers use Universal Plug and Play (UPnP) networks, which forward ports from the internal network to the internet, allowing connected devices to be viewed and accessed remotely.

“UPnP has been problematic for years. The protocols exist to make interconnectivity of devices simpler for users,” said Paul Farrington, director, EMEA & APJ Solutions Architecture at Veracode. “The idea behind UPnP is nice, but in the context of a hostile attack landscape, it exposes internal networks to risk. The problem with the Chromecast device is that Google hasn’t really designed it to anticipate a hostile environment – one in which devices can be directly exposed to the internet.”

Consumers Need More Security Education to Protect Their Networks and Devices

A spokesperson from Google told TechCrunch, “We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device. This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”

While some devices and software applications may rely on UPnP, the majority don’t, and Farrington advises home users to turn it off on their Internet routers. Still, there is more than device manufacturers and Internet Service Providers (ISPs) could do to help educate consumers about device security and providing secure configurations.

“Before network and software engineers create products, they really need to think about the adversary,” Farrington notes. “Asking the question, ‘how would the attacker benefit from this design feature’ should be a constant question that is asked within development teams. Threat Modelling is a term used to describe an approach of identifying ‘secure by design’ architectures that make sensible trade-offs on risk vs. benefit. Upfront thinking about security coupled with continuous security testing is really the only way to address the modern challenge of keeping consumers safe from hackers.”

Scan data from Veracode’s State of Software Security Report Volume 9 shows that DevSecOps teams that embed continuous, automated security testing into their routine eliminate security defects 11.5 times faster than those that test more infrequently. Building security across the SDLC is a competitive advantage for both B2B and B2C organizations. The last few years have shown that consumers are increasingly experiencing breaches of their personal information and devices, and will want to ensure that they’re secure when they make buying decisions.

Google (verb) Hacker security Vulnerability

Published at DZone with permission of Laura Paine, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Bye-Bye, Regular Dev [Comic]
  • Stream Processing vs. Batch Processing: What to Know
  • Quick Pattern-Matching Queries in PostgreSQL and YugabyteDB
  • Agile Transformation With ChatGPT or McBoston?

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: