Google's Chromecast devices have been hijacked by a team of two hackers, Twitter users @HackerGiraffe and @j3ws3r, who remotely hacked into thousands of streaming sticks to broadcast their own custom message. The attack exploits a bug that allows virtually anyone to make Chromecast devices play any YouTube video they want.
This specific attack was fairly harmless, and the hackers simply posted a message, warning users that their device was exposed to people on the internet, but this does mean that those devices can be hacked with much more malicious intents. Additionally, the broadcasted image asks users to subscribe to PewDiePie, which was a popular joke in the YouTube community a few weeks ago, and one that HackerGiraffe had already participated back in September by hacking printers to advertise the YouTuber.
Google responded to the attack saying that it wasn't a fault in Chromecast but rather in the router settings of the home network of users. This, however, only refers to one of the vulnerabilities that allowed the attack - Universal Plug and Play (UPnP) - which makes local devices publicly accessible.
The search giant isn't without fault, though, because the more concerning bug is the fact that Chromecast devices allow an unauthenticated device to access them and control video playback at will. This isn't a new issue, either, as security firms started exploiting this "deauth" bug all the way back in 2014. The major difference here is that thanks to UPnP, the attackers were able to carry out the attack over the internet, while previous demonstrations were made over the local Wi-Fi network, thus requiring the attacker to be within its range and able to authenticate with it.
Since the attack was carried out, the dedicated page for tracking the attack has been taken down, and YouTube gave one of the hackers' channels a strike, while also taking down one of his videos. In an e-mail to TechCrunch, the company did say it's working on a fix for the "deauth" bug, even if it's four years late to take action.
This isn't the first time Chromecast users have their privacy exposed. Last summer, another bug was found to give away the user's precise location thanks to Google's location services. At the time, the company was also initially reluctant to acknowledge the problem, but did eventually said it would issue a fix.