Hackers warned thousands of Chromecast users of a security flaw…by hijacking their devices. They were the latest people to work out how to force the Chromecast to play any YouTube video they want. For good measure, the hackers, who go by the names Hacker Giraffe and J3ws3r, encouraged users to subscribe to controversial YouTube personality PewDePie’s channel. Techcrunch spoke to researchers concerned that the vulnerability could leave exposed devices vulnerable to more damaging attacks.
The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.