a photo of Google Home 1st Gen

Hackers use router vulnerability to take over thousands of Google Home and Chromecast devices

Alistair Charlton
Jan. 03, 2019 05:38AM EST

Hackers have used a router vulnerability to remotely control tens of thousands of smart TVs and Google products, including the Home smart speaker and Chromecast streaming device.

Named #CastHack, the stunt began on January 1 and exposed over 72,000 devices to the hack. A website set up by the hackers claimed over 65,000 devices were forced to play a video that included a message telling the victim they had been hacked and asking them to subscribe to Felix Kjekkberg's controversial YouTube channel, better known as Pewdiepie.

Read More:

Dojo Smart internet security and privacy solution for your Wi-Fi network - Safe from hacks, cyberattacks and privacy breaches, 1 year subscription included
List Price: $179.57
New From: $179.57in Stock

Although the numbers on the hackers' website may not be accurate - they did not increase in the time it took to write and publish this article - a number of Reddit users have posted to say they are victims of the hack. One person said: "Every 20 minutes or so my TV switches to some crappy YouTube video about Pewdiepie with s****y rap music and a '#ChromeCastHack' hashtag."

A Twitter account seemingly created by the hackers - known as HackerGiraffe and j3ws3r - claimed the hack was taking control of 20 Chromecasts every second on January 1. The account tweeted a day later to reference a patch issued by Google to stop the attack.

Rather than being a hack that broke into the security of Google devices and smart televisions, this stunt was made possible by exploiting vulnerabilities in the home Wi-Fi routers they use to connect to the Internet.

The Chromecast is used to play YouTube, Netflix and other video content on a connected televisionGoogle

The attack took advantage of a common router feature called Universal Plug and Play (UPnP), which helps devices see each other on a Wi-Fi network—devices like printers, smart speakers, and TV streaming sticks like the Chromecast.


Chromecast with Google TV (4K)- Streaming Stick Entertainment on Your TV with Voice Search - Watch Movies, Shows, and Live TV in 4K HDR - Sky Blue with Accessories
List Price: $88.49
New From: $89.00in Stock

The hackers' website claimed they performed a relatively harmless stunt to draw attention to the vulnerability rather than cause genuine damage. The website reads: "We want to help you...We're only trying to protect and inform you of this before someone takes advantage of it."

The site also said: "If you came here because you're a victim of #CastHack, then know that your Chromecast/Smart TV/Google Home is exposed to the public internet and is leaking sensitive information related to your device and home."

The hackers reassured victims that they could not access any personal information related to their Google account or the Google Home's microphone, but they claimed to have access to the noise level in whatever room the device was in. They also said they could remotely play media on the device, rename it, perform a reboot or factory reset, and force it to pair with a new Bluetooth speaker or Wi-Fi network.


Gryphon AX – Ultra-Fast Mesh WiFi 6 Parental Control Router – Advanced Content Filters and Next-Gen Firewall - 4.3 Gbps Across 3,000 sq. ft. per Router for Multi-Device Households
List Price: $299.00
New From: $299.00in Stock
Used From: $149.00in Stock
Related Articles Around the Web