Giving up your Wi-Fi password can be giving up more control than you think. Because of the way Chromecast and other IoT devices communicate, anyone on the same Wi-Fi network as your device can often make it do whatever they want. With a script called "Cast All the Things," we can hijack a Chromecast to play nearly any kind of media with a single command in terminal.
IoT (Internet of Things) devices are notorious for making compromises on security for the sake of convenience, rendering them particularly easy to attack. A perfect example is the Chromecast, which can be effectively hijacked by any device on the same local network that knows how to talk to it.
Media devices like a Chromecast are controlled by simple application programming interfaces (APIs) designed to be controlled by messages from a user's smartphone. These are usually sent to the Chromecast as the user operates a mobile application with an interface for controlling the device. In most cases, these messages don't require any kind of password to execute, so the Chromecast will react exactly the same if you send it commands directly — without involving the official app.
Internet of Things devices are everywhere, and many of them use lightweight messaging standards like MQTT to communicate over Wi-Fi. This standard is kind of like Twitter for Wi-Fi, short simple pre-formatted messages that can easily be passed between devices in a mesh network. A mesh network allows groups of IoT devices to pass messages between each other so that all devices have a connection to the internet if even one device in the cluster has a connection back to a Wi-Fi network.
- Don't Miss: Take Control of Sonos IoT Devices with Python
While this standard of communication is useful, security is often neglected to make it easier to configure the devices. With more serious problems like hard-coded passwords that can't be changed, making botnets a real threat; shortcuts in setting up message authentication; and lack of planning for using devices in shared network environments has made IoT security a real problem.
For everyone wanting a scriptable, easy-to-install, easy-to-work-with way to control Chromecast devices, the community has an answer. Cast All The Things provides command line access to the Chromecast API, putting you between the front-end mobile application and the device it's controlling. Designed to extend the functionality of the Chromecast much past where Google felt comfortable officially supporting, the project runs on Python and works on nearly every operating system.
CATT's use to a hacker lies in how easy it is to use and how scalable it is. It's not possible to command every Chromecast on a huge network to play a video at the same time using the normal application, because this is not behavior that Google would want to support.
With CATT, a single hacker with a laptop connected to the same network at a large office could order hundreds of Chromecasts to download and play a distracting video at maximum volume simultaneously, causing chaos and confusion at a key moment.
CATT can also act as an "out of band," or difficult to trace, way to communicate with another person by using the Chromecast as a way to transmit messages. These can either be overt, like in the subtitles, or covert, like changing the programming repeatedly to certain topics.
To follow this guide, you'll need a computer with Python installed. In addition, you'll need a to be on the same network as the device you are targeting. This can be a Wi-Fi network or an Ethernet network. This will not work on a guest network if the guest network doesn't allow you to scan or communicate with other hosts, like on a Starbucks Wi-Fi network.
You'll also need a Chromecast device to try to control, such as a Chromecast Ultra or Chromecast (3rd Generation). This will work against all models of Chromecast, as they use the same basic API calls. Once you have a Chromecast device connected to the same network as your computer, you can download CATT and any dependencies.
Installing CATT is incredibly easy, provided you have Python installed. If you do, then simply run the following command in a terminal window. While you don't need to, you should also take some time to check out the GitHub page if you want to learn more about how the tool works.
pip install catt
Pip will install all dependencies and configure CATT for you. After it's done installing, you can type catt --help to get a list of all the command line tools to better understand what the script can do. Sadly, there is no manual entry for CATT, so the amusing "man catt" command currently goes nowhere.
Usage: catt [OPTIONS] COMMAND [ARGS]... Options: --delete-cache Empty the Chromecast discovery cache. -d, --device NAME Select Chromecast device. --help Show this message and exit. Commands: add Add a video to the queue. cast Send a video to a Chromecast for playing. cast_site Cast any website to a Chromecast. ffwd Fastforward a video by TIME duration. info Show complete information about the currently-playing video. pause Pause a video. play Resume a video after it has been paused. restore Return Chromecast to saved state. rewind Rewind a video by TIME duration. save Save the current state of the Chromecast for later use. scan Scan the local network and show all Chromecasts and their IPs. seek Seek the video to TIME position. skip Skip to next video in queue (if any). status Show some information about the currently-playing video. stop Stop playing. volume Set the volume to LVL [0-100]. volumedown Turn down volume by a DELTA increment. volumeup Turn up volume by a DELTA increment. write_config Write the name of default Chromecast device to config file.
CATT makes things immediately easy for us by being able to scan the network on its own. While it's possible to do an Nmap scan against the network, the scan feature of CATT is already tuned to detect Chromecast devices on the local network.
Without using CATT, you'll need to calculate the network range of the network you're on, scan for devices with port 8008 open, and then tease out details about what type of device it is. All of these things are integrated into CATT, so to discover all nearby Chromecasts, you can type the following command.
Scanning Chromecasts... 192.168.0.91 - Probe Team CIC - Google Inc. Chromecast Ultra
Here, CATT has found a device and shown us its IP address, network name, and the type of device it is. We can use this IP address, or the name of the device, to specify which device we want to command if there are more than one.
Because there is only one on this network, we don't need to specify it in the following commands, because CATT will send to it by default.
Images like GIFs are extremely easy to display on a Chromecast display. To display most common formats of images, including animated GIFs (which will play in a loop), you can run the following command.
catt cast ./mygif.gif
To cast a video hosted on a YouTube-like website, you can run the following command.
catt cast "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
This tool supports many, many websites besides YouTube that have video content, and there is a list of popular video sites that this tool can support. See the full list of websites (several of which are quite nasty).
With this ability, you can either host your own videos you want to play on YouTube and play them with the script or you can actually stream a file directly from your computer.
Now, let's overlay a message onto media we're casting from our laptop. This means we'll be able to communicate on two layers, with the content of the video we are playing, and with subtitles played very visibly over the video as it plays.
To do this, we'll need to make an SRT file, which we can do in nano. In a terminal window, type the following to create a subtitles file.
Then paste the following into the text file. You can modify the text, but the point is seeing how the format works. On the top, you have a 0 for where everything starts. Then you have a number for each block of text, a time code for how long the text is displayed, and then the text to display under it.
0 00:00:01.530 --> 00:00:03.629 HERE IS SOME TEXT 1 00:00:03.629 --> 00:00:07.819 OH WOW LOOK AT THAT BIG TEXT 2 00:00:07.819 --> 00:00:08.740 IT IS SO HUGE AND BIG OH 3 00:00:08.740 --> 00:00:13.370 SOME MORE SAMPLE TEXT HERE BUT 4 00:00:13.370 --> 00:00:14.660 there is no need to shout 5 00:00:14.660 --> 00:00:17.699 Never use Priceline 6 00:00:17.699 --> 00:00:22.720 More text to test 7 00:00:22.720 --> 00:00:26.300 Here is some sample text 8 00:00:26.300 --> 00:00:30.000 please pay me with a credit card
When you're done creating your text file, type Ctrl-x and then y to save and close the file.
Now, we should have a Demo.srt file to cast along with a local video. It's easy to cast a local video; simply specify the file path after typing catt cast and you should see the video begin to play. To specify we want subtitles, we'll add the -s flag. In the format below, substitute "/yourvideo.mp4" with the location of your video file.
catt cast -s ./Demo.srt ./yourvideo.mp4
Casting local file yourvideo.mp4... Using subtitle /Users/skickar/Desktop/Demo.srt Playing yourvideo.mp4 on "Probe Team CIC"... Serving local file, press Ctrl+C when done. 192.168.0.91 - - [21/Jan/2019 07:00:41] "GET /?loaded_from_catt HTTP/1.1" 200 - video/mp4 - 786.90 MB 192.168.0.91 - - [21/Jan/2019 07:00:41] "GET //var/folders/n1/l_2ynlx91lv57t122lq8lkyh0000gn/T/tmpxxljn3ds.vtt HTTP/1.1" 200 - text/vtt;charset=utf-8 - 1.69 KB
Just like that, you should see your video and subtitle message begin to play! I changed my example text a bit before it played.
If you want to spend less time specifying different Chromecast devices, you can also set up aliases and add a configuration file. You can create a configuration file by creating a "catt.cfg" file at the following location.
You can add devices to this configuration in the following format. Under "options," you can add the default device you wish to use if you don't specify a device otherwise when running Catt.
Under "aliases," you can make nicknames for the devices you want to use so that you can use that name for them when running the script.
[options] device = chromecast_one [aliases] one = chromecast_one two = chromecast_two
Lastly, we can cast any website directly to the screen. The Chromecast will grab websites with a resolution of 1280 x 720 pixels and display them on the screen. While this is useful for casting existing websites, we can also use it to design our own content, put it in a web interface, and then just cast that to the screen!
Sometimes we might want to create something totally fake and splash it on the screen, and by putting up a web URL, we can even host a web server on our own laptop and cast whatever we choose to display on it directly to the interface.
The command to do this, with this example being the Null Byte home page, is as follows.
catt cast_site https://null-byte.wonderhowto.com
Casting https://null-byte.wonderhowto.com on "Probe Team CIC"...
This tool is useful for a hacker looking to control Chromecast devices they don't own, but it's obviously extremely useful to anyone who does own a Chromecast as well. Thanks to the simplicity of controlling Chromecast devices over Wi-Fi, you can set custom triggers to cause actions on any displays you want using CATT.
While the techniques we covered today were focused on local networks, this will also work against any Chromecast device that's exposed directly to the internet as well. This was demonstrated when hackers found Chromecast devices on Shodan and made them play videos promoting PewDiePie. You should never do this, so if you've set up port forwarding to allow direct access to Internet of Things devices like a printer, camera, or media player, you can expect a message from a hacker telling you to subscribe to PewDiePie.
I hope you enjoyed this guide to finding and taking over Chromecast devices! If you have any questions about this tutorial on taking over IoT devices or if you have a comment, feel free to ask it below or reach out to me on Twitter @KodyKinzie.