CastHack - aka. what do PewDiePie and UPnP have in common

[umarmung]

A couple of hackers are having some success exploiting insecure UPnP implementations on home residents and corporate routers to take control of Chromecast devices via a long running bug.

This is what a Google Community Manager had to say:

GraceFromGoogle Google Community Manager - Hardware 13 points 1 day ago

Hi everybody,

We know how frightening this is. The good news is your Chromecast hasn't actually been “hacked” - rather, someone was able to cast to your Chromecast due to an opening in your home network. This is the result of your router making some smart devices, including Chromecast, publicly reachable, due to a router feature called Universal Plug and Play (UPnP).

To make your network more secure, you can disable UPnP to avoid any unwanted content being played on your devices. The instructions are different from router to router, so we suggest checking with the manufacturer of your particular device. However, this may affect other apps and devices that use UPnP to function.
​

Sources:

• Original Reddit thread: https://www.reddit.com/r/Chromecast/comments/abcbbl/tv_randomly_switching_to_some_pewdiepie_video/?=
• BBC: https://www.bbc.com/news/technology-46746592

 

[CriticJay]

It's interesting that "Grace from Google" is telling people to turn off UPnP; however the Chromecast support pages are telling people that CC's need UPnP to function and to turn it on.

HOWEVER, I'm pretty sure that it isn't actually UPnP that the CC needs to function. It's actually Multicast. But there must be quite a few consumer routers which bundle Multicast functionality with UPnP; hence, if you disable UPnP you also disable Multicast. That's my theory at least.