A recent publicity stunt promoting YouTube scoundrel pewdiepie has brought attention to a design flaw in Google Chromecast devices and smartTVs that embed the Chromecast technology. By default, the Chromecast device will attempt to use Universal Plug and Play if it is enabled on the network router in order to open a port on the router’s firewall and map ports TCP:8008, 8443 & 8009 directly to the Chromecast. This means anyone who knows the public IP address of the router can send commands to the Chromecast and cause it to display arbitrary video files. Devices that are open the Internet are easily discovered using search engines such as www.shodan.io which indexes Internet devices rather than web pages.
In the case of the publicity stunt, the Chromecast devices unexpectedly played a 20 minute pewdiepie video on over 65,000 devices. However, more nefarious attackers could use this ability to play video files that are designed to manipulate the people who see them to take action which facilitates a more damaging attack on your company infrastructure. Social Engineering plays an increasingly important role in successful cyber-attacks and this Chromecast vulnerability provides an unexpected avenue for criminals to message and manipulate your staff.
Chromecast devices have been adopted as cheap and cheerful digital signage controllers in many offices and are used to mirror PC screens displaying anything from building announcements through to the state of the current software build progress or live server metrics for DevOps teams.
While many enterprise grade routers will have Universal Plug and Play disabled, it is possible that tertiary networks established to support IoT and digital signage devices and keep them off the main corporate network may use cheaper SoHo grade devices which could have UPnP available by default. Network administrators are advised to check if UPnP is enabled on their network and disable it if possible.