It was reported earlier today that Hacker Giraffe has remotely gained access to the TVs and smart devices of tens-of-thousands of Google Chromecast users.
In the hack, a pop-up was displayed that both warns of the exploit and links to a page listing the current number of affected devices. The message also takes a chance to promote controversial YouTube personality, PewDiePie – a move this particular hacker has previously made by hijacking connected printers. While technically this latest hack is made possible via a security flaw in a users’ router, the exploit related to the Chromecast is one that has been known since the year the device launched.
To this end, Paul Farrington – Director of EMEA and APJ at Veracode – explains that developers need to test and scan the security of their systems regularly to prevent a UPnP vulnerability being exploited by cyber criminals:
“Universal Plug and Play (UPnP) has been problematic for years. The protocols exist to make interconnectivity of devices simpler for users. The idea behind UPnP is nice, but in the context of a hostile attack landscape, exposes internal networks to risk. Some devices and software applications will rely on UPnP, but the majority won’t. Really the advice for the home user is to turn off UPnP on their Internet router. The problem with the Chromecast device is that Google hasn’t really designed it to anticipate a hostile environment, such as one in which devices can be directly exposed to the Internet.
In general, consumers haven’t been educated on how to make devices secure. Offering advice about disabling features is all well and good, but device manufacturers and probably Internet Service Providers (ISPs) could do more to help the public by providing secure configurations. Before network and software engineers create products, they really need to think about the adversary. Asking the question, ‘how would the attacker benefit from this design feature’ should be a constant question that is asked within development teams.
‘Threat Modelling’ is a term used to describe an approach of identifying ‘secure by design’ architectures that make sensible trade-offs on risk vs. benefit. What’s more, evidence from Veracode’s recent State of Software Security Report (v.9) suggests that DevSecOps teams that embed continuous automated security testing into their routine will eliminate security defects 11.5 times faster than those which test infrequently. As such, upfront thinking about security, coupled with continuous security testing is really the only way to address the modern challenge of keeping consumers safe from hackers.”