Hackers Are Taking Over Chromecasts To Promote a YouTube Channel (theverge.com) 90
In what is being referred to as CastHack, hackers j3ws3r and HackerGiraffe are promoting Felix "PewDiePie" Kjellberg by forcing TVs to display a message encouraging people to subscribe to his YouTube channel. "The hack takes advantage of a router setting that makes smart devices, like Chromecasts and Google Homes, publicly viewable on the internet," reports The Verge. "The attackers are then able to gain control of the devices and broadcast videos on a connected TV." From the report: A website for the attack claims to count the number of TVs forced to show the PewDiePie message and currently says more than 3,000 have been affected. While it's not clear that this is an accurate number (it has reset several times), a number of people posted on Reddit that the video had appeared on their TV. Google tells The Verge it has received reports from people who had "an unauthorized video played on their TVs via a Chromecast device," but said the issue was the result of router settings. Both HackerGiraffe and Google told The Verge the best way for affected users to fix the issue is to turn off Universal Plug and Play (UPnP) on their routers. The two hackers said they were behind a hack in November that forced printers around the world to print out sheets of paper telling people to subscribe to PewDiePie.
Impressive... (Score:3, Insightful)
And that takes some doing. Good work guys.
Re: (Score:2, Insightful)
Ugh. Out of mod points, but I'll sit here and think really positive thoughts at you for a minute, okay?
Re: (Score:2)
Intresting enough.. the same hackers claimed to have done exactly that. But with an url to the same youtube-channel and not goatse.
Re: (Score:2, Informative)
I have never cared for PewDiePie. Now, thanks to these imbeciles, I absolutely despise him.
Re: (Score:2)
Virtual +5 insightful.
The best way to gain support is not by pestering everyone about it.
Everybody's heard of the Streisand effect [wikipedia.org], where an attempt to hide, remove, or censor a piece of information has the unintended consequence of publicizing the information more widely.
Well, I'm suggesting we call this the PewDiePie effect, where an attempt to gain worldwide support for someone/something has the unintended consequence of destroying any chance of gaining more support and even destroying the support curren
Re: (Score:2)
Why would one buy a connected device designed to play internet videos and not connect it to the internet?
Opposite take, liking the vulnerability exposure (Score:5, Insightful)
I really don't care to watch PewDiePie at all (I tried a little, once).
However the actions of his hacking subscription army exposing the absolute dismal state of the Internet Of Thangs has me absolutely cheering him on and wishing for more, and more and more similar activity until even the least technical person says "wait a minute" to installing new network connected devices.
Re: (Score:2)
Yeah I tried once, just so I could work out what the f*** the kids where on about.
Nope, definately a dad moment for me. Like , 30+ years ago my father being genuinely mystified as to why I liked Iron maiden so much when the Beatles and Elvis where soooooo hip! Yeah, thats me, 30+ years later wondering what the hell the little ones see in this jibbering incoherent walking-mess of a man playing video games.
Oh well, one day she'll have her own kids and be baffled as fuck at them. I guess its the cycle of life.
Re: (Score:2)
According to some other newssource (heise.de) they rather use that guy as a new rickrolling target than actually endorsing him. (or to be as exact as I remember, they would rather prefer a personally owned channel to lead youtube statistics than a corporate commercial one like the one that recently took over the youtube lead)
So why totally open this port... (Score:2)
Why does Chroecast open up a port, any port, to the whole wide internet? To the point where it's even uPnP compatible,, not just for network local devices...
What purpose does that serve? When did that seem like a good idea?
Re:So why totally open this port... (Score:5, Informative)
Why does Chroecast open up a port, any port, to the whole wide internet?
It doesn't. The malware these people ran is what sent the uPNP packet to open holes in their router.
The same method has been used by malware in the past to open tons of holes in NAT devices that claim to be firewalls, even SMB and remote desktop, iterating internal IPs in turn to try and find a vulnerable windows host.
uPNP is simply retarded and shouldn't exist. Any user-level software capable of sending a UDP packet can render such a NAT device completely useless as a level of protection that an actual firewall wouldn't allow.
Re: (Score:3)
Re: (Score:3)
Well, it's largely on Google, in an ideal world it would be 100%. A device's security strategy should never include 'dear god please don't let internet hosts connect to me'
However, UPnP is a problem in practice because we have *so many* devices that employ this strategy, and UPnP offers a trivial way for opening them up, as well as opening command and control ports open to a client device that should never be running a service, without even a way to request approval for a UPnP forwarding request from an au
Re: (Score:1)
Practically speaking, routers should probably pair with some sort of phone app and do notifications to ask for approval when a upnp request comes in and not grant forwarding until approved.
Are there any routers that do this? It sounds like a great idea. I already have an app for my Lynksys unit, it would be a really nice feature to not let any devices take part of using PnP without my approving.
Re: (Score:2)
No idea, just a thought off the top of my head. I just disable upnp as any things I want exposed I know enough to do it myself and it's such a rare phenomenon that the relative tedium is acceptable. Such a feature would be of great use to those lacking that degree of experience or putting gobs of enabled services on a network, but I don't need it so I haven't looked into it.
Re: (Score:2)
There's something like this on my new Netgear router. I have uPnP disabled on there, and when I went to connect my DVD player, it gave me a message to go to the router and press some button to allow it to connect. I forget what that security measure was called, but does it fit the bill?
Re: So why totally open this port... (Score:2)
You have a 6 digit UID, and you don't know the difference between UPNP and WPS?
No, it's not even remotely the same thing. The only thing they have in common is that they're both insanely bad ideas if you care about security.
Re: (Score:2)
There's nothing wrong with uPnP, it does a job that needs doing at least until we have ubiquitous IPv6.
I still feel it needs to be a touch more effort than the current state of effortless to punch a hole through NAT.
I know expecting any effort from the common user is a step too far these days, but see below, you yourself just mistakenly claimed chromecast was effortless to access (which isn't true) and said that was a bad thing.
There's plenty wrong with devices that get (however it's done) external connectivity and then implement zero security, effectively allowing their owners networks to be abused.
Chromecast devices link into a google account before you can have them stream video from anywhere.
That means you need to sign in to my google account, by password and 2fa, before you
Re: So why totally open this port... (Score:2)
No, Chromecast doesn't require you to be signed into your account. You can set it up to prevent unauthorised users from streaming to it, but it doesn't do that by default. Plenty of people leave it completely unsecured. Mine is unsecured because I like the convenience of my guests being able to instantly connect to it. But I also have UPNP disabled on my router, so I'm not worried about anyone accessing it from outside my network.
Re: (Score:2)
And we'll still need it then. Because NOTHING in IPv6 guarantees that you'll have direct access between hosts using IPv6. (As in, firewalls exist)
So even in an IPv6 world where everything has their own unique IP address (and the RIAA and MPAA can uniquely identify a host and the user associated with it to sue individuals - something you can't do with IPv4), firewalls will break direct connections. This i
Re: (Score:1)
You're completely retarded and shouldn't exist.
uPnP is a fine idea. It's the router manufacturers that screwed up by not making it so packets from outside the network can affect changes.
Re: (Score:2)
uPNP is simply retarded and shouldn't exist.
I agree. We shouldn't have broken the internet with NAT, we should have adopted IPv6 over a decade ago. Unfortunately what we have is known as trying to make do with a shitty situation.
Re: So why totally open this port... (Score:2)
Yeah, insecure devices being accessed via UPNP is way worse than insecure devices connected directly to the net via their own IPV6 address!
Re: (Score:2)
Yeah, insecure devices being accessed via UPNP is way worse than insecure devices connected directly to the net via their own IPV6 address!
You are completely right. the UPNP hack has the knock on effect of breaking firewalls. If every device had it's own IPv6 address we wouldn't need the hack and our routers and firewalls could adequately mitigate this issue.
Oh you were being sarcastic? Well in that case you're wrong.
Re: (Score:2)
No firewall was broken here. NAT is NOT a firewall and should NOT be considered as a security measure. The firewall-like behaviour is a side-effect that should not be relied on even though it has the same effect as you probably would configure an actual home-use firewall (everything out and nothing in)
Re: (Score:2)
No firewall was broken here. NAT is NOT a firewall and should NOT be considered as a security measure.
The fundamental purpose of UPnP is to open ports through routing gear. Your claim that no firewall is broken here is a distinction without a difference for the consumer whose sole device incorporates the firewall and NAT in the same piece of equipment managed by a common UPnP interface.
As for NAT being NOT a firewall, I caution against the use of capitals. NAT may not be a firewall in a fundamental sense but without statefull packet inspection and with a lack of knowledge of what to do with incoming packets
Re: (Score:2)
Well I agree (and already did) on the identical behaviour, but NAT was used to hook up your roommates PC to one dialup. In the late 90s you wouldn't even think of anything else but hooking up your PC directly to the Internet. (think of the AOL era...)
Your company network probably had a firewall, but as likely enough public IP adresses for every workstation.
But I guess we can agree on the technical aspects and that this is rather a historical question.
Re: (Score:2)
But that wouldn't make it a chromecast problem at all but rather a malware on-some-other-platform problem.
I agree with your uPNP assesment as we even have TWO uPNP problems here:
the uPnp problem that allows anyone to open a port forwarding without any authentification and the uPNP/DLNA problem that allows anyone to discover and control AV equipment without any authentification.
On the other hand: NAT was never meant as any level of protection. It's disability to open ports rendered several protocols useless
Re: (Score:2)
Complain to Google (Score:2)
Does YouTube not have a way to fine or otherwise punish this twerp for promoting himself like this?
Re: (Score:2)
What makes you think PewDiePie is behind it?
I mean sure he's got motive and its possible. But I could see any number of fans doing this entirely on their own too. Or any number of haters too for that matter.
Re: (Score:2)
More likely a wide spread attack to gain media attention across a broad spectrum and used to force new corporate crack downs, mass censorship via the end of net neutrality. Corporations have the right to declare you a digital non-person, no internet access, no electronic payments of any form, no digital IDs, a non-person for all those who do not bend and scrape to corporate demands.
Re: (Score:2)
At this point it's already a meme for anyone and everyone to add "subscribe to pewdiepie" as a joke.
The time to accuse him has long since past.
PS, subscribe to magarity!
No one should profit from crime (Score:1)
So the obvious thing would be to unsubscribe from PewDiePie on mass
Failing that just terminate the account altogether.
Re: (Score:3, Funny)
It's called a dip switch, you moran.
Re: (Score:2)
Re: (Score:2)
That's fine. It's French.
Re: (Score:2)
PewDiePie can pay for an private attorney an publi (Score:2)
PewDiePie can pay for an private attorney an public defender may be to over worked to put up a good case.
Re: (Score:2)
iTS' bett3r than being hacked by CH1n4.
That would be "Giiiina". Everybody knows this. Everybody agrees.
Re: (Score:2)
I don't agree. Several other people don't, either.
* Red danger! Cold War feelings...
3 points (Score:1)
1) DISABLE UPNP NOW! It has to be one of the largest security risks possible on a home network.
2) Shame on google for using UPnP to forward a port that allows remote control of the chromecast device. What purpose does this serve?
3) Can PewDiePie just go away already? If you can't keep your subscriber count up by posting worthwhile content then just go away. Youtube should revoke all the subscribers him and his ilk have managed to gain for him by spamming and ramming PewDiePie down everyone's throat.
Re: (Score:1)
He gained more subscribers when the Wall Street Journal wrote a front page column about him because he told a Hitler joke. Blame them.
Re: (Score:3)
1) I think Upnp could be useful, but it would only be useful for generating a selection of services to add on the router through some interface (it's web page or a phone app with notifications), rather than auto-granting. Having true peer to peer technologies without blessed cloud intermediaries would be nice.
2) It sounds like they don't request that port be forwarded, but malware running on the same network segment is sending upnp packets on behalf of detected chromecasts to make them internet accessible,
under hacking / other laws PewDiePie is guilty of (Score:2)
under hacking / other laws PewDiePie is guilty of an crime? and seeing how he makes an profit off of this and maybe even theft of services as some people are changed for data usage.
Re: (Score:2)
by Joe_Dragon ( 2206452 )
under hacking / other laws PewDiePie is guilty of an crime?
Subscribe to Joe_Dragon!
So under hacking laws, is Joe_Dragon guilty of a crime? If so, lets hope the above meme doesn't catch on for your sake.
Host files (Score:1)
Re: (Score:2)
While the primary problem is that UPnP doesn't require approval, the secondary problem is definitely that Chromecast doesn't authenticate incoming connections in any way.