Starting the New Year off with a slam, Hacker Giraffe and J3ws3r reportedly exploited a vulnerability in millions of Google Chromecast streaming devices. The CastHack bug, allegedly disclosed nearly five years ago, allowed the hackers to remotely access thousands of the streaming machines, causing them to show a pop-up placard on connected TVs alerting consumers that their misconfigured router is leaving them vulnerable to more disruptive attacks. While they were at it, they likewise asked those speaking the placard to subscribe to PewDiePie’s YouTube canal.
In 2014, Bishop Fox figure out that it could access and control a Chromecast device by unplugging it from its subsisting Wi-Fi network in a deauth attempt and reverting it to its mill state. Then, attackers needed to be within range of the Wi-Fi network to gain access, but the two attacks method has now been evolved. Some dwelling routers use Universal Plug and Play( UPNP) systems, which forward ports from the internal network to the internet, allowing connected devices to be viewed and accessed remotely.
“UPnP has been problematic for years. The protocols exist to induce interconnectivity of devices simpler for users, ” said Paul Farrington, head, EMEA& APJ Solutions Architecture at Veracode. “The idea behind UPnP is nice, but in the context of a hostile attack landscape, it discloses internal networks to peril. The difficulty with the Chromecast device is that Google haven’t truly designed it to foresee a hostile environment- one in which devices can be immediately exposed to the internet.”
Consumers Need More Security Education to Protect Their Networks and Devices
A spokesperson from Google told TechCrunch, “We have received reports from customers who have had an unauthorized video played on their TVs via a Chromecast device. This is not an issue with Chromecast specifically, but is rather the result of router defines that construct smart machines, including Chromecast, publicly reachable.”
While some machines and software applications may rely on UPnP, the majority don’t, and Farrington admonishes home customers to turn it off on their Internet routers. Still, there is more that device manufacturers and Internet Service Providers( ISPs) could do to help educate consumers about device security and rendering secure configurations.
“Before network and software engineers develop products, they truly need to think about the antagonist, ” Farrington tones. “Asking the question,’ how would the attacker benefit from this designing feature’ should be a constant question that is asked within development crews. Threat Modelling is a term used to describe an approaching of identifying’ secure by design’ architectures that build sensible trade-offs on hazard vs. benefit. Upfront thinking about security, coupled with continuous protection experimenting is truly the only behavior to address the modern challenge of continuing consumers safe from hackers.”
Scan data from Veracode’s State of Software Security Report Volume 9 shows that DevSecOps teams that embed continuous, automated security testing into their routine eliminate security imperfection 11.5 periods faster than those that experiment more infrequently. Constructing security in across the SDLC is a competitive advantage for both B2B and B2C companies. The last-place few years have shown that consumers are increasingly suffering breaches of their personal information and devices, and will want to ensure that they’re secure when they establish buying decisions.
Read more: veracode.com