As mentioned earlier, security people I’m following and talking to have mostly dismissed that Chromecast + UPnP was to blame for yesterday’s “Chromecast hack” as Chromecast/Home/etc don’t really use UPnP for anything useful.
TL;DR – UPnP isn’t blameless, but Google may be.
One issue is that Chromecasts (just going to call all affected devices Chromecast for this article,) are consumer products and once you’re in-network you’re not really dealing with a secure device. NAT and WiFi are your security.
From inside your network I can rename, cast, reboot, make a Home device talk, etc. This is by design. This only works if you’re in the person’s network. There’s a list of what you can make a Chromecast do. I don’t have it at 12:30am. Sorry.
That’s what it appears actually happened. Hackers got in your network through cheap router exploits. The Chromecast / smart TV / speakers / etc were just there as a display device. The hackers previously did about the same thing and printed out documents detailing how people’s printers were open and accessible because of router shittiness.
This time they renamed the Chromecasts, initiated a video stream, blamed Google, promoted that YouTube dude, and moved on.
The issue here is they were in the affected people’s network. They blamed Chromecast and your smart TV as opposed to blaming your craptastic router (or perhaps they did, web page detailing the thing is down at the moment, so all I can see is the images and Verge article blaming Google,) they just rolled up into and exploited a bad UPnP daemon, hopped into the network, found the cast devices, renamed, started a video stream, and bam.
UPnP isn’t supposed to let the outside world barge in unannounced. This is where the crappy part of crappy routers come into play. Update that router’s firmware yet? Do you think many of the hacked people would ever have? Change the default admin password?
On the Verge article there’s a quote from the hackers that CastHack was meant to remind Google of security flaws.
It appears the flaws are you’re putting a pretty open device behind something someone picked up at Walmart for $29 and is using as a router.
Disabling UPnP did the trick on some routers, on some changing the default admin password would be required, on some a hammer might need applied, you get the drill.
But yes, I’m up past midnight posting that this doesn’t appear to have been a Google hack, more like cheapest router hack.
OK, so I love to source stuff, it’s midnight, I’ve got a cold, I’m going to thank some people in various forums, IRC, and post some twitter links and hit bed.
Two Twitter quotes (SwiftOnSecurity,) that sum up everything above:
Going by The Verge’s picture above, and what I’ve read, the Chromecast/Smart TV are indeed exposed (because router is garbage) and most likely the TV and Chromecast are not exposing any information about you, your router yes.