Skip to main content

Hacking IOT: Google Chromcast

Hacking Google Chromcast

Slack Group

Before we get started I have started a new slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below:

NEW Hacking Group Slack Channel

Introduction

Its January 2nd, 2019 and like I always do I was checking my news feed and noticed an article about how some malicious hacker attacking chromcast which resulted in their TV being forced to render unwanted content (News Article).

Message hacker left on TVs

This peaked my interest so I set out discover how the hacker accomplished this.

Technical Details 

Recon


According to the internet the definition of chromcast is a streaming media adapter from Google that allows users to play online content such as videos and music on a digital television.  

At the time of writing this post this is a hot topic so I figured I could find some more details on social media sites(twitter). After 5min of  digging I discovered the  following twitter post which pointed me in the right direction.

Twitter post

Neat so I can send a POST request to VulnWebSite.com:8008/apps/Youtube with a JSON body containing the data {'v':'VIDEO_ID_HERE'}. So basically the vulnerability here is that any one who sends a post request to your chromcast device can make your TV play a youtube video. This is all unauthenticated.

Next I attempted to look for the API documentation but couldn't what I wanted. I then came across the unofficial API documentation posted by someone else (API documentation). I also found other documentation listed below.
After reading the documentation I had a much better idea of how the device worked and I pretty much knew how the hacker had pulled off the attack.

The Attack

So first we must create some sort of fingerprint to identify chromcast devices that have this API endpoint exposed. This can easily be done by sending a GET request to the /setup/eureka_info endpoint which is documented here(device-info API documentation). This will return a json object containing the build version, device info, public key, and more. This is the same api endpoint shodan.io uses to fingerprint chromcast devices.

Now that we can identify chromcast devices all we have to do is send the youtube payload to the "/apps/YouTube" endpoint we discovered earlier. After that the users TV will be forced to play what ever video you want it to play. You can also do other things like list the surrounding access points and bluetooth devices or anything listed in the API documentation. This can all be done  unauthenticated of course.

Universal Plug and Play

This attack is simple and almost anyone can pull this off armed with this knowledge. What makes things worse is that chromcast makes use of Universal Plug and Play (UPnP). If you dont know what UPnP does it basically punches a whole right through your firewall. This means that the chromcast device makes use of UPnP to open port 8008 on your router and forwards all the traffic to the chromcast device. If your router has UPnP enabled, all most all do by default, your chromcast device will be opening it self to the internet. This means anyone will be able to control your chromcast device and the TV it is connected to from the internet unauthenticated.

Conclusion

I strongly believe that google is truly a great company. They do a lot to protect us everyday and they also protect other companies and devices thanks to project zero. No matter how good you are somethings just slip through the cracks. It happens all the time. Google has already mentioned that they will be pushing a update within the coming weeks. Its probably best to block UPnP completely as there are many other IOT devices that could be vulnerable. Think about it if a google device is vulnerable to an unauthenticated API exploit how many other devices are? 




















Comments

Popular posts from this blog

Hacking Books

Best Hacking Books List Slack Group Before we get started I have started a new slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below: NEW Hacking Group Slack Channel If you want to get really good at something its best to have some sort of mentor. Reading the words that smart people have written down can be just has good as talking to them one on one. I have create a list of some of the best hacking books I know of which can be bought on amazon by following the provided links. If you were to read all of the listed books you would with out a doubt become a PRO. Beginner The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy Basic Security Testing with Kali Linux 2 Hash Crack: Password Cracking Manual (v2.0) Nmap Network Scanning: The Official

Threat Hunting

Abstract    The paper reviews a threat hunters methodology and aims to help organizations protect themselves against advanced persistent threats(APT). The paper starts off by explaining the first hacking case and explains how attacks have advanced over the years. The rest of the paper talks about the threat hunters methodology and how it can be used to combat APT groups. Introduction    Hackers have been infiltrating and pilligings networks for decades now. In 1903 the hacker Nevil Maskelyne was caught sending disrespectful messages in morse code through the auditorium's projector. Hackers have always been around but responding to and protecting ourselves from these malicious actors is relatively new. Threat hunting focuses on finding these malicious actors commonly referred to as advanced persistent threats(APT).    Hackers have advanced tremendously over the years. The days are over where you only have to worry about teenagers in their mom's basement. In today'