This article originally appeared in Infosecurity Magazine on January 4, 2019.
After targeting tens of thousands of devices in the CastHack campaign, TheHackerGiraffe feared that his ethical hacking might have gone too far and decided to put an end to his attempts to educate followers on vulnerable devices.
As Infosecurity Magazine reported earlier today, TheHackerGiraffe, in partnership with j3ws3r, exploited a vulnerability that allowed them to take advantage of routers with Universal Plug and Play (UPnP) enabled. The duo successfully hijacked more than 70,000 Chromecast-powered smart TVs, a vulnerability the hackers said was five years old.
Despite the campaign’s effectiveness in getting Google to issue a patch for Chrome for Android to resolve a security flaw that leaked information about smartphones’ hardware model, firmware version and, indirectly, the device’s security patch level, TheHackerGiraffe said in a Pastebin post that he is suffering from “the constant pressure of being afraid of being caught and prosecuted [that] has been keeping me up and giving me all kinds of fears and panic attacks.”
Last year the PewDiePie hackers gained notoriety after exploiting vulnerabilities in printers accessible by anyone on the internet. In a live tweet video Thursday, @TheHackerGiraffe said that he received a direct message informing him that the FBI was building a case against him. Having been “in panic mode” for an entire month, Thursday’s message catapulted the ethical hacker into a deeper state of fear. In addition, he received multiple messages threatening to kill him and his family.
“Going after Chromecast didn’t exactly help,” he said. As a result, TheHackerGiraffe destroyed everything, from the server to the Cloudflare account to GitHub, Patreon, and even the PayPal account that was linked to Patreon. Despite his fears, the hacker stands by his actions, which were driven by his genuine desire to inform the public about the sensitive information that was being leaked in vulnerable devices.
Mike Bittner, digital security and operations manager of The Media Trust said, “The ability to access information via user agent strings will benefit exploit targeting regardless of what browser is used. App developers and browser developers should do a thorough mapping of what user information they gather and share and ensure they’ve obtained user consent for such activities. With GDPR regulators soon to issue penalties and similar privacy laws on the horizon, app developers will have to rely on their own custom string to override user-agent strings that conduct unauthorized data processes. By requiring user consent, these privacy laws will lift the veil on rampant online surveillance activities – whether deliberate or as a result of bugs – that have so far passed largely unnoticed by internet users.”
As of now, the hacker said, “everything is gone,” and though he plans to leave his account active, he remains uncertain as to whether he will actively use the account.
“Most of all, I’m sorry to the people who supported me on Patreon. I didn’t want to leave like this, you deserve more for your money, and I’m truly sorry that I’ve failed to meet your demands and my promises when it comes to the guides. I guess there is a lesson to be learned here, don’t fly too close to the sun and then act like you don’t know you’ll get burned. Well, here I am, burned and roasted, awaiting my maybe-coming end. I thank you all, thank you all so much for the past month. It’s been amazing to see all of you who wanted to learn hacking/cybersecurity. Please do push on, don’t give up! Stay safe, stay legal, and most of all, be civil,” TheHackerGiraffe wrote.