don’t fall victim to the chromecast hackers – here’s what to do – naked security

Posted by santillano at 2020-02-17

If you ever used dial-up networking to access the internet, you probably remember it mostly for being cumbersome and slow. But it was also astonishingly insecure, because your computer – which was probably running Windows 95, Windows 3, or even good old DOS – ended up with a public-facing IP number, connected straight onto to the internet. Other users out there could, literally and figuratively, reach out and probe your computer directly. In recent years, however, we’ve got used to the idea that home computers don’t get plugged directly onto the internet – they typically connect through a router instead, and it’s the router that’s plugged into the internet connection. Indeed, it’s tempting to assume that home routers came about specifically to address the security risks inherent in connecting laptops and other home devices straight onto the internet… …but the truth is that the main reason for having a home router is to support multiple devices through connection sharing. That means your ISP only needs to hand out one IP number per household, rather than one IP number per device. Connection sharing explained The “trick” used for internet connection sharing is called NAT, short for Network Address Translation, and it’s a way to allow a single home router to divide up your internet connection automatically between any number of devices. The NAT software on your router keeps track of which internal devices have made what outbound network requests to which external servers, and sorts out the inbound replies so that they get back to the right place. But NAT doesn’t work automatically for inbound traffic. If a brand new network request arrives from the outside asking to be sent to your mail server or your web server, for instance, there’s no way for your router to know in advance where to redirect that packet inside the network. Unless and until you configure your router to tell it where and how to redirect inbound connection requests, NAT basically acts as a firewall that causes incoming connections to fail harmlessly. Invisible by default? It’s easy to assume that any internal devices behind your router are “invisible by default”, and thus that anything you connect to the private part of your network is safe from discovery and attack – including your computers, phones, tablets, file servers, thermostats, webcams, printers… ..and your Chromecast media streaming devices. In practice, however, NAT alone simply isn’t enough to keep the crooks out. Firstly, some routers come with externally-facing services of their own, such as a web interface, turned on by default. In this case, crooks can attack your network by probing for bugs on the router itself. Secondly, some routers come with a system called Universal Plug and Play (UPnP) turned on by default. UPnP is a protocol that devices inside separate, NATted networks can use to identify and communicate with each other, with their respective routers co-operating to open up the necessary connectivity and packet forwarding automatically. Thirdly, many routers end up with inbound network ports opened up and then forgotten about. Unfortunately, probing for unexpected remote access holes is as easy as running through a list of IP numbers one by one (or million by million) and seeing what happens if you try to connect. Sometimes, you will not only find out that a particular port is open on a particular computer, but also receive a snippet of data back that gives away what sort of service is listening, even if the port number isn’t one usually associated with that service. In the example below, we’ve probed and found a mail server on port 10025 and a web server on port 10026: For better or worse, search engines exist that repeatedly sweep through the internet, keeping track of which IP numbers had what network ports open, and what service, if any, seemed to be listening for connections. By querying these search engines (two well-known ones are Censys and Shodan), would-be hackers can download ready-made lists of networks to start probing – the hackers don’t even need to do the initial reconaissance, known as port scanning, themselves. Scanning for mischief Sadly, some “researchers” can’t resist using port scans for mischief, thinly disguised as attempts to make a serious security point. For example, in December 2018 a hacker going by the name TheHackerGiraffe decided to “warn” networks with internet-connected printers by printing out a “notification page”, entirely without permission. The notification message included an advert for a well-known, high-traffic YouTube video blogger called PewDiePie. PewDiePie, real name Felix Kjellberg, wasn’t the perpetrator of the hack, just the unexpecting recipient of an “endorsement” by the hackers.

At the start of 2019, TheHackerGiraffe couldn’t resist having another go at incorrectly-configured networks, probing for and finding tens of thousands of publicly-visible Chromecast devices. This time, it seems the Giraffe was aided and abetted by an online chum going by the name j3ws3r (whether that’s an anti-semitic slur or just hacker-style spelling of the word “user”, where the j is pronounced as y, is an open question).

j3ws3r j y j3ws3r j y

According their own website, the pair identified more than 72,000 vulnerable Chromecast and Google Home devices: (We’ve redacted the link in the video – when we tried it, it was a rickroll, redirecting to a video of singer Rick Astley performing Never Gonna Give You Up.) What to do? If you’re blindly playing videos on random people’s Chromecasts, or printing out unsolicited messages on their printers, then you don’t have permission, and you jolly well know it. Yeah, I will have to disappear. Most probably for good this time. Who knows? Maybe I’ll appear in 2 weeks on this same account again. No matter how much I write, I can’t describe to you the mental stress and panic I’m going through right now. But I won’t complain about that, because people will say I brought this on myself, I did those “hacks”, I deserve the consequences. But I’m a human too, don’t just throw away all my emotions because of my “hacker” personality. I don’t deserve to be thrown under a bus for wanting to help people, but I guess that will put a smile on some people’s faces. Chromecast image from Wikimedia commons.