How To: Hijack Chromecasts with CATT to Display Images, Messages, Videos, Sites & More

Hijack Chromecasts with CATT to Display Images, Messages, Videos, Sites & More

Giving up your Wi-Fi password can be giving up more control than you think. Because of the way Chromecast and other IoT devices communicate, anyone on the same Wi-Fi network as your device can often make it do whatever they want. With a script called "Cast All the Things," we can hijack a Chromecast to play nearly any kind of media with a single command in terminal.

IoT (Internet of Things) devices are notorious for making compromises on security for the sake of convenience, rendering them particularly easy to attack. A perfect example is the Chromecast, which can be effectively hijacked by any device on the same local network that knows how to talk to it.

Media devices like a Chromecast are controlled by simple application programming interfaces (APIs) designed to be controlled by messages from a user's smartphone. These are usually sent to the Chromecast as the user operates a mobile application with an interface for controlling the device. In most cases, these messages don't require any kind of password to execute, so the Chromecast will react exactly the same if you send it commands directly — without involving the official app.

IoT Devices Use Vulnerable Messaging to Communicate

Internet of Things devices are everywhere, and many of them use lightweight messaging standards like MQTT to communicate over Wi-Fi. This standard is kind of like Twitter for Wi-Fi, short simple pre-formatted messages that can easily be passed between devices in a mesh network. A mesh network allows groups of IoT devices to pass messages between each other so that all devices have a connection to the internet if even one device in the cluster has a connection back to a Wi-Fi network.

While this standard of communication is useful, security is often neglected to make it easier to configure the devices. With more serious problems like hard-coded passwords that can't be changed, making botnets a real threat; shortcuts in setting up message authentication; and lack of planning for using devices in shared network environments has made IoT security a real problem.

Image by Kody/Null Byte

Cast All the Things for Command Line Control

For everyone wanting a scriptable, easy-to-install, easy-to-work-with way to control Chromecast devices, the community has an answer. Cast All The Things provides command line access to the Chromecast API, putting you between the front-end mobile application and the device it's controlling. Designed to extend the functionality of the Chromecast much past where Google felt comfortable officially supporting, the project runs on Python and works on nearly every operating system.

CATT's use to a hacker lies in how easy it is to use and how scalable it is. It's not possible to command every Chromecast on a huge network to play a video at the same time using the normal application, because this is not behavior that Google would want to support.

With CATT, a single hacker with a laptop connected to the same network at a large office could order hundreds of Chromecasts to download and play a distracting video at maximum volume simultaneously, causing chaos and confusion at a key moment.

CATT can also act as an "out of band," or difficult to trace, way to communicate with another person by using the Chromecast as a way to transmit messages. These can either be overt, like in the subtitles, or covert, like changing the programming repeatedly to certain topics.

What You'll Need

To follow this guide, you'll need a computer with Python installed. In addition, you'll need a to be on the same network as the device you are targeting. This can be a Wi-Fi network or an Ethernet network. This will not work on a guest network if the guest network doesn't allow you to scan or communicate with other hosts, like on a Starbucks Wi-Fi network.

You'll also need a Chromecast device to try to control, such as a Chromecast Ultra or Chromecast (3rd Generation). This will work against all models of Chromecast, as they use the same basic API calls. Once you have a Chromecast device connected to the same network as your computer, you can download CATT and any dependencies.

Step 1: Install CATT

Installing CATT is incredibly easy, provided you have Python installed. If you do, then simply run the following command in a terminal window. While you don't need to, you should also take some time to check out the GitHub page if you want to learn more about how the tool works.

pip install catt

Pip will install all dependencies and configure CATT for you. After it's done installing, you can type catt --help to get a list of all the command line tools to better understand what the script can do. Sadly, there is no manual entry for CATT, so the amusing "man catt" command currently goes nowhere.

catt --help
Usage: catt [OPTIONS] COMMAND [ARGS]...

Options:
  --delete-cache     Empty the Chromecast discovery cache.
  -d, --device NAME  Select Chromecast device.
  --help             Show this message and exit.

Commands:
  add           Add a video to the queue.
  cast          Send a video to a Chromecast for playing.
  cast_site     Cast any website to a Chromecast.
  ffwd          Fastforward a video by TIME duration.
  info          Show complete information about the currently-playing video.
  pause         Pause a video.
  play          Resume a video after it has been paused.
  restore       Return Chromecast to saved state.
  rewind        Rewind a video by TIME duration.
  save          Save the current state of the Chromecast for later use.
  scan          Scan the local network and show all Chromecasts and their IPs.
  seek          Seek the video to TIME position.
  skip          Skip to next video in queue (if any).
  status        Show some information about the currently-playing video.
  stop          Stop playing.
  volume        Set the volume to LVL [0-100].
  volumedown    Turn down volume by a DELTA increment.
  volumeup      Turn up volume by a DELTA increment.
  write_config  Write the name of default Chromecast device to config file.

Step 2: Scan the Network for Chromecasts

CATT makes things immediately easy for us by being able to scan the network on its own. While it's possible to do an Nmap scan against the network, the scan feature of CATT is already tuned to detect Chromecast devices on the local network.

Without using CATT, you'll need to calculate the network range of the network you're on, scan for devices with port 8008 open, and then tease out details about what type of device it is. All of these things are integrated into CATT, so to discover all nearby Chromecasts, you can type the following command.

catt scan
Scanning Chromecasts...
192.168.0.91 - Probe Team CIC - Google Inc. Chromecast Ultra

Here, CATT has found a device and shown us its IP address, network name, and the type of device it is. We can use this IP address, or the name of the device, to specify which device we want to command if there are more than one.

Because there is only one on this network, we don't need to specify it in the following commands, because CATT will send to it by default.

Step 3: Send an Image to the Screen

Images like GIFs are extremely easy to display on a Chromecast display. To display most common formats of images, including animated GIFs (which will play in a loop), you can run the following command.

catt cast ./mygif.gif

Step 4: Cast a Remote YouTube Video to the Screen

To cast a video hosted on a YouTube-like website, you can run the following command.

catt cast "https://www.youtube.com/watch?v=dQw4w9WgXcQ"

This tool supports many, many websites besides YouTube that have video content, and there is a list of popular video sites that this tool can support. See the full list of websites (several of which are quite nasty).

With this ability, you can either host your own videos you want to play on YouTube and play them with the script or you can actually stream a file directly from your computer.

Step 5: Play a Local Video with Subtitles

Now, let's overlay a message onto media we're casting from our laptop. This means we'll be able to communicate on two layers, with the content of the video we are playing, and with subtitles played very visibly over the video as it plays.

To do this, we'll need to make an SRT file, which we can do in nano. In a terminal window, type the following to create a subtitles file.

nano Demo.srt

Then paste the following into the text file. You can modify the text, but the point is seeing how the format works. On the top, you have a 0 for where everything starts. Then you have a number for each block of text, a time code for how long the text is displayed, and then the text to display under it.

0
00:00:01.530 --> 00:00:03.629
HERE IS SOME TEXT

1
00:00:03.629 --> 00:00:07.819
OH WOW LOOK AT THAT BIG TEXT

2
00:00:07.819 --> 00:00:08.740
IT IS SO HUGE AND BIG OH

3
00:00:08.740 --> 00:00:13.370
SOME MORE SAMPLE TEXT HERE BUT

4
00:00:13.370 --> 00:00:14.660
there is no need to shout

5
00:00:14.660 --> 00:00:17.699
Never use Priceline

6
00:00:17.699 --> 00:00:22.720
More text to test

7
00:00:22.720 --> 00:00:26.300
Here is some sample text

8
00:00:26.300 --> 00:00:30.000
please pay me with a credit card

When you're done creating your text file, type Ctrl-x and then y to save and close the file.

Now, we should have a Demo.srt file to cast along with a local video. It's easy to cast a local video; simply specify the file path after typing catt cast and you should see the video begin to play. To specify we want subtitles, we'll add the -s flag. In the format below, substitute "/yourvideo.mp4" with the location of your video file.

catt cast -s ./Demo.srt ./yourvideo.mp4
Casting local file yourvideo.mp4...
Using subtitle /Users/skickar/Desktop/Demo.srt
Playing yourvideo.mp4 on "Probe Team CIC"...
Serving local file, press Ctrl+C when done.
192.168.0.91 - - [21/Jan/2019 07:00:41] "GET /?loaded_from_catt HTTP/1.1" 200 - video/mp4 - 786.90 MB
192.168.0.91 - - [21/Jan/2019 07:00:41] "GET //var/folders/n1/l_2ynlx91lv57t122lq8lkyh0000gn/T/tmpxxljn3ds.vtt HTTP/1.1" 200 - text/vtt;charset=utf-8 - 1.69 KB

Just like that, you should see your video and subtitle message begin to play! I changed my example text a bit before it played.

Image by Kody/Null Byte

If you want to spend less time specifying different Chromecast devices, you can also set up aliases and add a configuration file. You can create a configuration file by creating a "catt.cfg" file at the following location.

nano ~/.config/catt/catt.cfg

You can add devices to this configuration in the following format. Under "options," you can add the default device you wish to use if you don't specify a device otherwise when running Catt.

Under "aliases," you can make nicknames for the devices you want to use so that you can use that name for them when running the script.

[options]
device = chromecast_one

[aliases]
one = chromecast_one
two = chromecast_two

Step 6: Cast a Website to the Screen

Lastly, we can cast any website directly to the screen. The Chromecast will grab websites with a resolution of 1280 x 720 pixels and display them on the screen. While this is useful for casting existing websites, we can also use it to design our own content, put it in a web interface, and then just cast that to the screen!

Sometimes we might want to create something totally fake and splash it on the screen, and by putting up a web URL, we can even host a web server on our own laptop and cast whatever we choose to display on it directly to the interface.

The command to do this, with this example being the Null Byte home page, is as follows.

catt cast_site https://null-byte.wonderhowto.com
Casting https://null-byte.wonderhowto.com on "Probe Team CIC"...

CATT Can Make Almost Anything Appear on the Screen

This tool is useful for a hacker looking to control Chromecast devices they don't own, but it's obviously extremely useful to anyone who does own a Chromecast as well. Thanks to the simplicity of controlling Chromecast devices over Wi-Fi, you can set custom triggers to cause actions on any displays you want using CATT.

While the techniques we covered today were focused on local networks, this will also work against any Chromecast device that's exposed directly to the internet as well. This was demonstrated when hackers found Chromecast devices on Shodan and made them play videos promoting PewDiePie. You should never do this, so if you've set up port forwarding to allow direct access to Internet of Things devices like a printer, camera, or media player, you can expect a message from a hacker telling you to subscribe to PewDiePie.

I hope you enjoyed this guide to finding and taking over Chromecast devices! If you have any questions about this tutorial on taking over IoT devices or if you have a comment, feel free to ask it below or reach out to me on Twitter @KodyKinzie.

Cover photo by TAKA@P.P.R.S/Flickr

Get The Null Byte Newsletter

Never miss a new hacking or security guide

3 Comments

when you type in command "pip install catt" you may or may not get an error for using CATT because it may happen, that it will install catt version for python3 under a python2 libraries. Before doing any of said commands, first install

Apt Install python3-Pip

Once you done that, simply use new pip script to install CATT under python3

pip3 Install Catt

Everything should work fine from now on. I had the same problem, but i fugure it out myself. Hope this will help somone with instalation process.

hi there, i need a hand when i try to run catt it says i need python 3, which i have as i can check by typing python3,

Any idea as to why its not working with my version of python??

So can this work on a outside network?

Share Your Thoughts

  • Hot
  • Latest