Hackers have used a router vulnerability to remotely take control of tens of thousands of smart TVs and Google products, including the Home smart speaker and Chromecast streaming device.
Named #CastHack, the stunt began on January 1 and saw over 72,000 devices exposed to the hack. A website set up by the hackers claimed over 65,000 devices were forced to play a video which included a message telling the victim they had been hacked, then asked them to subscribe to the controversial YouTube channel of Felix Kjekkberg, better known as Pewdiepie.
- 12 Internet of Things hacks and why you need to lock down your devices in 2019
- Three quarters of consumers worry about internet hacking
- Now even your robot vacuum cleaner can have its camera hacked
Although the numbers on the hackers' website may not be accurate - they did not increase in the time it took to write and publish this article - a number of Reddit users have posted to say they are victims of the hack. One person said: "Every 20 minutes or so my TV switches to some crappy YouTube video about Pewdiepie with s****y rap music and a '#ChromeCastHack' hashtag."
A Twitter account seemingly created by the hackers - known as HackerGiraffe and j3ws3r - claimed the hack was taking control of 20 Chromecasts every second on January 1. The account tweeted a day later to reference a patch issued by Google to stop the attack.
Rather than being a hack breaking into the security of Google devices and smart televisions themselves, this stunt was made possible by exploiting vulnerabilities in the home Wi-Fi routers they use to connect to the internet.
The attack took advantage of a common router feature called Universal Plug and Play (UPnP), which is used to help devices see each other on a Wi-Fi network - devices like printers, smart speakers and TV streaming sticks like the Chromecast.
The hackers' website claimed they performed the relatively harmless stunt to draw attention to the vulnerability, rather than cause genuine damage. The website reads: "We want to help you...We're only trying to protect you and inform you of this before someone takes real advantage of it."
The site also said: "If you came here because you're a victim of #CastHack, then know that your Chromecast/Smart TV/Google Home is exposed to the public internet, and is leaking sensitive information related to your device and home."
The hackers reassured victims that they cannot access any personal information related to their Google account, nor can they access the Google Home's microphone, but they claim to have access to the noise level in whatever room the device is in. They also said they could remotely play media on the device, rename the device, perform a reboot or factory reset, and force it to pair with a new Bluetooth speaker or Wi-Fi network.