X

Hackers force smart TVs, Chromecasts to promote PewDiePie

You don’t have to adjust your screen, just your security settings.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
screen-shot-2019-01-02-at-11-01-11-am

Thousands of hacked Chromecasts and smart TVs are hijacked to show this image.

Screenshot by Alfred Ng / CNET

More than 5,500 exposed smart TVs, Chromecast streamers and Google Home devices have been commandeered in the name of YouTube mega-star PewDiePie.

Hacker Giraffe, the same pseudonymous person who forced thousands of exposed printers last year to churn out pages saying "Subscribe to PewDiePie," has his set sight on smart devices to promote the Swedish YouTube star's channel. Not that PewDiePie needs much help. He has the top-ranked channel with nearly 79.5 million subscribers.

Smart devices have boomed in popularity for adding tech to everyday objects. But they also raise security concerns because many of them are vulnerable to attacks. 

Lawmakers are just starting to regulate security for internet of things devices. For example, California's governor signed the nation's first cybersecurity bill that oversees connected devices in September.

If you're a victim, the Chromecast hack will push a video message to your television that reads, "Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!"

The message then provides link explaining how users can secure their devices before adding: "You should also Subscribe to PewDiePie."

The phrase "Subscribe to Pewdiepie" became a meme after T-Series, a Bollywood music label, came close to gaining more subscribers than PewDiePie, whose real name is Felix Kjellberg. PewDiePie has maintained a steady lead over T-Series as fans continue to pull stunts, including a recent hack on The Wall Street Journal's website.

The hacker said he's a fan of PewDiePie and thought promoting his channel would be funny.
"Honestly, it's just for the memes," Hacker Giraffe said in a direct message to CNET. "I like PewDiePie, and so why not?"

A few hours after the hack went live, PewDiePie tweeted at Hacker Giraffe: "doing gods work."

Hacker Giraffe worked on the hack with a partner who goes by j3ws3r, who said the video was done "out of respect" for the community. 

"We could have done anything," the partner said. "Jumped the air gap and made the TV say, 'hey Alexa, buy me 5,000 toilet rolls." 

Security researchers at Pen Test Partners found they could use the Chromecast exploit to play videos with voice commands to smart home devices like Amazon's Alexa.

Despite its meme-inspired nature, the hackers said the "true aim of this hack" is to raise awareness about how many connected devices are exposed online.

Hacker Giraffe believes that forcing TVs to play the PewDiePie promotional clip is innocent, as malicious attackers could have done much worse, like remotely resetting devices. On the link in the video, he wrote, "We just want to have a bit of fun while educating and protecting people from open devices like this case." 

A Google spokesperson said that Chromecast owners can fix the issue by changing their router settings. 

"This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable," the spokesperson said in a statement.

Hacker Giraffe said he was able to take over thousands of exposed Chromecasts and smart TVs using Shodan, a search engine for connected devices. He looked for devices that had open ports 8008 and 8443, which is how most smart devices connect to the internet.

He found 123,141 exposed devices in the initial scan. 

The script renamed the exposed devices to HACKED_SUBTOPEWDS. The script then sent the PewDiePie promotional video to all devices with that name. The hacker said that some TVs couldn't be renamed, but still played the video. The Google Home devices without screens were hacked but cannot play the video.

He said it took about 30 minutes to get his script ready.

The security flaw was first discovered by another hacker on Sunday, he noted.

You can secure your devices by going to your router's settings and preventing it from forwarding your network traffic to ports 8008, 8443 and 8009. He also recommended turning off Universal Plug and Play settings that allow you to add devices to your network without much effort.

The script began running at about 5 a.m. PT and, in two hours, hijacked more than 5,500 devices.

Originally published Jan. 2 at 8:34 a.m. PT. 
Update, 3:30 p.m. PT: To include more details on the hackers behind the exploit, and a response from PewDiePie.  

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.

Follow the Money: This is how digital cash is changing the way we save, shop and work.