Don’t fall victim to the Chromecast hackers – here’s what to do

If you ever used dial-up networking to access the internet, you probably remember it mostly for being cumbersome and slow.

But it was also astonishingly insecure, because your computer – which was probably running Windows 95, Windows 3, or even good old DOS – ended up with a public-facing IP number, connected straight onto to the internet.

Other users out there could, literally and figuratively, reach out and probe your computer directly.

In recent years, however, we’ve got used to the idea that home computers don’t get plugged directly onto the internet – they typically connect through a router instead, and it’s the router that’s plugged into the internet connection.

Indeed, it’s tempting to assume that home routers came about specifically to address the security risks inherent in connecting laptops and other home devices straight onto the internet…

…but the truth is that the main reason for having a home router is to support multiple devices through connection sharing.

That means your ISP only needs to hand out one IP number per household, rather than one IP number per device.

Connection sharing explained

The “trick” used for internet connection sharing is called NAT, short for Network Address Translation, and it’s a way to allow a single home router to divide up your internet connection automatically between any number of devices.

The NAT software on your router keeps track of which internal devices have made what outbound network requests to which external servers, and sorts out the inbound replies so that they get back to the right place.

But NAT doesn’t work automatically for inbound traffic.

If a brand new network request arrives from the outside asking to be sent to your mail server or your web server, for instance, there’s no way for your router to know in advance where to redirect that packet inside the network.

NAT therefore has the handy side-effect, in theory at least, of boosting security – by default, your internal devices can’t be probed directly from the outside.

Unless and until you configure your router to tell it where and how to redirect inbound connection requests, NAT basically acts as a firewall that causes incoming connections to fail harmlessly.

Invisible by default?

It’s easy to assume that any internal devices behind your router are “invisible by default”, and thus that anything you connect to the private part of your network is safe from discovery and attack – including your computers, phones, tablets, file servers, thermostats, webcams, printers…

..and your Chromecast media streaming devices.

In practice, however, NAT alone simply isn’t enough to keep the crooks out.

Firstly, some routers come with externally-facing services of their own, such as a web interface, turned on by default.

In this case, crooks can attack your network by probing for bugs on the router itself.

If they can figure out how to run unauthorised commands on your router, they can reconfigure the router to enable inbound access for future attacks.

Secondly, some routers come with a system called Universal Plug and Play (UPnP) turned on by default.

UPnP is a protocol that devices inside separate, NATted networks can use to identify and communicate with each other, with their respective routers co-operating to open up the necessary connectivity and packet forwarding automatically.

Thirdly, many routers end up with inbound network ports opened up and then forgotten about.

As a result, crooks can automatically find and potentially exploit services that are accessible through holes that aren’t supposed to be there.

Unfortunately, probing for unexpected remote access holes is as easy as running through a list of IP numbers one by one (or million by million) and seeing what happens if you try to connect.

Sometimes, you will not only find out that a particular port is open on a particular computer, but also receive a snippet of data back that gives away what sort of service is listening, even if the port number isn’t one usually associated with that service.

For example, email servers listen by convention on port 25, and web servers on port 80, but it’s easy enough to spot those services if they’re “hidden” on non-standard port numbers.

In the example below, we’ve probed and found a mail server on port 10025 and a web server on port 10026:

For better or worse, search engines exist that repeatedly sweep through the internet, keeping track of which IP numbers had what network ports open, and what service, if any, seemed to be listening for connections.

By querying these search engines (two well-known ones are Censys and Shodan), would-be hackers can download ready-made lists of networks to start probing – the hackers don’t even need to do the initial reconaissance, known as port scanning, themselves.

Scanning for mischief

Sadly, some “researchers” can’t resist using port scans for mischief, thinly disguised as attempts to make a serious security point.

For example, in December 2018 a hacker going by the name TheHackerGiraffe decided to “warn” networks with internet-connected printers by printing out a “notification page”, entirely without permission.

The notification message included an advert for a well-known, high-traffic YouTube video blogger called PewDiePie.

PewDiePie, real name Felix Kjellberg, wasn’t the perpetrator of the hack, just the unexpecting recipient of an “endorsement” by the hackers.

At the start of 2019, TheHackerGiraffe couldn’t resist having another go at incorrectly-configured networks, probing for and finding tens of thousands of publicly-visible Chromecast devices.

This time, it seems the Giraffe was aided and abetted by an online chum going by the name j3ws3r (whether that’s an anti-semitic slur or just hacker-style spelling of the word “user”, where the j is pronounced as y, is an open question).

According their own website, the pair identified more than 72,000 vulnerable Chromecast and Google Home devices:

They also unlawfully played “warning videos” on 65,000 of the Chromecasts, once again promoting PewDiePie:

(We’ve redacted the link in the video – when we tried it, it was a rickroll, redirecting to a video of singer Rick Astley performing Never Gonna Give You Up.)

What to do?

• Turn off UPnP on your router. It’s been a recipe for trouble for many years, and you almost certainly neither want nor need to open it up to the outside world.
• Check what network ports are opened up on your router. If you see 8008, 8009 and 8443 open, then any Chromecasts you own are probably exposed. But any open port could spell needless danger, so close any port that you aren’t 100% sure you need to keep open.
• Don’t go around poking sticks into other people’s devices. It’s neither witty nor lawful to access other people’s computer equipment without permission.

If you’re blindly playing videos on random people’s Chromecasts, or printing out unsolicited messages on their printers, then you don’t have permission, and you jolly well know it.

Even if your intentions are good, please don’t mess with other people’s stuff – you might end up regretting it, as the Giraffe himself now seems to do, if a recent post to Pastebin is to be believed:

Yeah, I will have to disappear. Most probably for good this time. Who knows? Maybe I’ll appear in 2 weeks on this same account again. No matter how much I write, I can’t describe to you the mental stress and panic I’m going through right now. But I won’t complain about that, because people will say I brought this on myself, I did those “hacks”, I deserve the consequences. But I’m a human too, don’t just throw away all my emotions because of my “hacker” personality. I don’t deserve to be thrown under a bus for wanting to help people, but I guess that will put a smile on some people’s faces.

Chromecast image from Wikimedia commons.