Thousands of Google’s Chromecast streaming adapters, Google Home smart speakers and smart TVs with built-in Chromecast technology were targeted by hackers Wednesday, who forced the devices to play a video of controversial YouTube star PewDiePie.
The hack attack, which began Wednesday morning, took advantage of badly configured routers to find streaming devices exposed to the public internet. Once found this way, the hackers renamed the device’s Wi-Fi name, and then attempted to play a PewDiePie YouTube video. A website detailing the hack claimed that the hackers were able to play the video on more than 2,700 devices.
The website also shared some of the information the hackers had access, including “what WIFI your Chromecast/Google Home is connected to, what bluetooth devices it has paired to, how long it’s been on, what WiFi networks your device remembers, what alarms you have set, and much more.”
By forcing devices to play a PewDiePie video, the hackers threw their weight behind the “Subscribe to PewDiePie” campaign, which fans of the Swedish video-game streamer and vlogger have been engaged in since late last year. The goal of that campaign has been to keep PewDiePie’s subscriber count above that of T-Series, an Indian music video channel.
However, the pro-PewDiePie hackers were not able to access the microphone of a Google Home device, and they promised not to take advantage of any of the information obtained through the hack. “We’re only trying to protect you and inform you of this before someone takes real advantage of it,” they stated on their website. “Imagine the consequences of having access to the information above.”
It’s worth noting that the attackers technically didn’t “hack” Chromecast devices. Instead, they just made use of badly configured routers, which allowed them to effectively pretend that they were on the same home network as the Chromecast devices in question — giving them the ability to play media, rename the devices and more.
This was also confirmed by a Google spokesperson, who told Variety via email: “To restrict the ability for external videos to be played on their devices, users can turn off Universal Plug and Play (UPnP). Please note that turning off UPnP may disable some devices (e.g. printers, game consoles, etc.) that depend on it for local device discovery.”
The Google rep also shared specific instructions on how to turn off UPnP on specific routers (while noting that some routers, like Google Wifi, are not affected), providing links to customer-support articles for Netgear, Linksys and D-Link routers.
The same attack is possible with a number of other smart media devices. In fact, the hackers threatened to target other devices as well, tweeting: “You’re next, Sonos.”