Thousands of Google Chromecast products have been taken over by a couple of identified hackers who have exploited a supposed weakness in device security to prove a point. They apparently executed this hijack to demonstrate and warn users that devices like this can in fact be taken over and user data can be obtained.
CastHack is the bug which exploits a weakness in the Universal Plug and Play (UPnP) networking standard in some routers, which makes several connected network devices, like Chromecasts, accessible on the internet. Because this security breach occurs at the foundation of the network, it’s actually an issue with router security – not the Chromecast device. UPnP is a protocol that allows trusted devices on your network to communicate externally and with other devices when they need to by temporarily opening certain ports on your router.
The hackers exploited UPnP in routers to display a message on displays with Chromecast attached to them. This message was a warning to users about this security flaw as well as a marketing proposal to subscribe to YouTuber PewDiePie. So, although they technically did hack into user’s devices, it was a relatively unharmful advertisement encouraging stronger network security (unless you consider getting “rick-rolled” harmful). One of these hackers was also responsible for hijacking around 50,000 printers worldwide, printing out a supportive message for a particular YouTube channel.
You can tackle this security issue by disabling UPnP on your router completely, which will effectively shut the door on outside hackers to these devices. However, by disabling UPnP, it could have potential side effects to smart device connectivity in your home if they use the protocol, including rendering the Chromecast itself useless. You can open the needed ports manually on your router and although it’s technical to do so, it is possible if you are looking to completely circumvent the possibility of intrusion through these devices.
This also isn’t the first time Google’s Chromecast has been compromised. During its debut in 2014 as well as in 2016, bugs that allowed remote hijacking were found. Even if it isn’t the device’s fault directly, it would be wise for Google to increase security to Chromecast since it is so widely used. Currently, for Chromecast, there is no “workaround” for this security risk other than simply unplugging it when not in use, or just never using it again.