The broadcast signals for four US radio stations were hacked last Tuesday, hijacked by somebody who swapped the regular Taylor Swift-esque fare of pop music for a 90-minute, raunchy podcast about “furry” sex.
FurCast – the furry culture group behind the podcast said it is absolutely not responsible for the broadcast signal takeover.
In a post published Wednesday and updated Thursday, the group says it produces content for a niche audience and has “no interest in being discovered by a mainstream audience.”
According to FurCast, after it learned that its podcast had been inflicted on unwilling radio stations for about 90 minutes, it checked its logs and found that somebody had used the Shodan search engine for internet-connected devices to come up with an index of unsecured Barix audio streaming devices.
Shodan crawls its way around the internet, connecting to likely services, logging what comes back, and creating a searchable index of the results.
It’s been used to index internet-connected baby monitors, for one. Another target has been improperly configured MongoDB databases, like those at MacKeeper, Sanrio’s Hello Kitty, kid site uKnowKids and Hzone, a dating app for HIV-positive people, among others.
In this case, the radio hacker built a database of unsecured Barix devices, then broke into as many devices as possible, connected the devices to FurCast’s stream, and locked out the stations.
Livingston, Texas-based country music station KXAX found itself broadcasting raunchy ramblings on Tuesday and said on its Facebook page that the devices that send its audio to a transmitter site had been hacked.
Jason Mclelland, owner and general manager of the KXAX Radio Group, sent this emailed comment to Ars Technica:
All in all the FurCast aired for an hour, possibly two. During that time they talked about sex with two guys and a girl in explicit details and rambled on with vulgar language not really having much of a point to the podcast. I’m assuming there was no real reason for this hack.
On the same day, the signal for Colorado-based radio station KIFT was also forced into broadcasting the podcast.
The station published a post that explained that an internet-enabled Studio Transmitter Link had been hacked and its station engineers had been locked out.
Engineers at both stations had to travel to remote transmitter sites to do a hard reset in order to regain control.
According to radio industry news site RadioInsight.com, two more targets that didn’t want to be identified were involved: an AM station in Denver and a national syndicator.
The Michigan Association of Broadcasters issued an advisory urging Barix users to make sure their passwords are up to snuff.
This appears to have been in the planning stages for some time by the person doing it.
Apparently they have been accumulating passwords for some time. MAKE SURE that your password is of sufficient strength! Barix Boxes will take up to 24 characters…. In at least two cases six character passwords were cracked.
We couldn’t agree more.
Here’s a short, sweet video that shows you how to cook up just such a nice, strong password that will help keep your internet-connected devices off of somebody’s Shodan list of targets.
Image of shocked woman courtesy of Shutterstock.
Will
Not that I agree with this abuse of access, but are we really calling connecting to unsecured boxes “hacking” nowadays? It fits the broad definition, sure, but at what point did these radio stations deserve what they got for leaving unsecured devices connected to the Internet? (Note: article mention of some “cracked” passwords not included in this broader statement)
Paul Ducklin
At no point did they *deserve* it, any more than you would deserve to have your face smashed in by a drunken idiot who didn’t like the colour of your hat. You *could* have grown up tougher. You *could* have studied martial arts. You *could* have employed a bodyguard. You *could* have applied for a CCW permit. You *could* have run away faster. And so on.
Avoided it, yes, but you need to be careful of saying that a victim of cybercrime deserved it.
(And, as we have had the good fortune to write on Naked Security on more than one occasion, not everyone who finds this sort of security flaw decides to make odiously childish misuse of it…some hackers would have done the right thing and ended up helping everyone. And having something they could actually put on a CV, not spending the next 10 years trying to conceal the whole thing from the cops.)
Naked Security Reader
“At no point did they *deserve* it, any more than you would deserve to have your face smashed in by a drunken idiot who didn’t like the colour of your hat. You *could* have grown up tougher. You *could* have studied martial arts. You *could* have employed a bodyguard. You *could* have applied for a CCW permit. You *could* have run away faster. And so on.
Avoided it, yes, but you need to be careful of saying that a victim of cybercrime deserved it. ”
Hallelujah. This applies to victims of many crimes (e.g., rape). Well put, Paul Ducklin!
Browser
Whilst I agree with the perspective you laid out, I don’t really see what your mini-rant has to do with the comment you replied to. The original comment was a question of terminology and certainly doesn’t seem to me, to be victim bashing. Now, it has been quite a few months since I’ve commented around here so maybe we have an edit function now that can drastically change the appearance of things but…
On the other hand, thanks for the article. Enjoyed reading as usual.
Paul Ducklin
Well, the OP wondered “at what point the victims deserved it.”
Stephen Flood
Paul, Excellent reply! I wish everyone would see it this way.
Anonymous
So with a commercial device like that, why don’t they use certificates to authenticate? (SSH for example)
I am hoping that passwords are on the way out!
Paul Ducklin
Having a password that isn’t “123456” might be a starting point :-) After all, key-based authentication depends on the secrecy of the private key used to get in… and if *that’s* protected by a six-character password, you’re in a similar position if there’s a keylogger in the way somewhere.