Hacker Giraffe Strikes Again, Pushing PewDiePie Videos on Chromecasts

Last updated September 28, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The latest episode in the series of the “PewDiePie” attacks is the hijacking of thousands of Chromecast streaming dongles that were exposed to the net due to a security vulnerability that was left unplugged for a long time. The hackers behind the recent attack are known as Hacker Giraffe and J3ws3r, essentially being the same persons who recently launched the egregious “Printer Hacks”. As was the case with the previous attacks, this time as well the hackers wanted to expose the exploitation potential and lack of security rather than doing real damage, and PewDiePie was simply the accompanying humoristic theme.

hackergiraffe chromecast

Screenshot by TechCrunch

The hackers scanned for devices using Universal Plug ‘n Play with forwarding ports 8008/8443/8009, locating over 123100 vulnerable Chromecasts, Google Homes, and Smart TVs. The information that was leaked includes the home network WiFi details, the Bluetooth devices that are paired with the systems, status information, alarms, and previous connected networks stores in the devices. What the hackers did was to remotely play PewDiePie videos on a selection of these devices (about 50%), while they also proceeded to rename a few. However, if they wanted to cause a more serious disturbance, they could induce a remote factory reset on the device, force data wipe, force new Bluetooth pairings, etc.

The Hacker Giraffe team has announced through the attack tracking website that they set up, that they want to help their victims get educated on how to protect their devices from malicious attackers, claiming that “we’re only trying to protect you and inform you of this before someone takes real advantage of it.” They even provide advice on how to fix the exploited devices, by disabling UPnP on the routers and stop forwarding on ports 8008/8443/8009.

Although Google has released an official statement on the matter, claiming that the issue does not concern Chromecast specifically, but is rather a result of the router settings, the fact that Google’s device can be hijacked by a remote user remains. In fact, a security research consultancy firm had discovered this bug back in 2014, after finding a way to perform a successful “deauth” attack to Chromecasts. The bug remained unfixed for the next couple of years, as another cybersecurity researcher discovered in 2016, and as it seems, it remained unaddressed by Google until today.

Do you own a Chromecast device? Have you taken steps to secure it against “deauth” attacks? Let us know in the comments below, and feel free to share your thoughts on our socials as well, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: