What happens when criminals hack a radio station?

April 21, 2016

In the morning of April 5, 2016 a number of American radio stations treated their listeners to quite the unusual broadcast. Over the course of 90 minutes, the hosts discussed the the sexual subculture of furry fandom – an interest in humanlike characters from popular cartoons, comics and science fiction. Now, the station’s employees weren’t looking to shock their listeners, the station’s equipment was hacked.

What happens when criminals hack a radio station?

In an hour and a half, citizens of some cities in Colorado and Texas became intimately acquainted with Paradox Wolf, Fayroe and their friends. These nicknames belong to the authors of FurCast — a fan webcast created by two guys and a girl from New York. Their channel was never intended to be heard by the wide public, but the hackers didn’t care.

How could it happen?

At least one of the shows on the stations were sent over the Internet from Denver to four remote transmitters. Of those, one was located in the city of Breckenridge, Colorado. It was this transmitter, K258AS, that was hacked. The hacker replaced the intended program with Furcast Episode 224. Broadcast engineers could not regain control over transmitters remotely so they had to leave Denver and travel to the remote transmitter site, where they reprogrammed the system manually.

During the hack the actual creators of FurCast detected an increase in connections to their podcast archive. This lasted several hours, and was turned off after the team discovered the problem on KIFT-FM (Colorado) and KXAX (Texas) and temporarily disabled access to the database. The majority of the connections made had the user agent “Barix Streaming Client.”

Barix is a popular manufacturer of audio streaming hardware and these devices were used by the hacked radio stations.

Ars Technica reported, that the hackers had spent some time accumulating passwords. Barix translators support up to 24 symbols combinations, “but in at least two cases 6 character passwords were cracked.”

A number of those transmitters were also visible on Shodan — a search engine through the Internet of Things, which lets people find connected devices.

The Furcast team blocked the IP addresses used by the hacked Barix transmitters and launched archives back online to the delight of their actual audience. Currently the Furcast team is working with law enforcement agencies to investigate this incident.

Though only a few small radio stations broadcasted the podcast, the incident turned into a big stink. KIFT-FM alone received hundreds of calls and emails from alarmed listeners who demanded that no one at the station let it happen again.

Dan Cowen, KIFT Director of Programming, described the radio employee’s reaction as following: “As horrified as our listeners were, believe me, we were a whole lot more horrified. It was a slow-motion car crash and it something where we really value — especially family … to have them wake up to this is beyond horrifying.”

While the BBC, Ars Technica and some TV channels have already had some laughs covering the episode, it is in fact a serious incident. In the past stations have lost their broadcast licenses over similar situations.

On February 11, 2013 a criminal hacked Emergency Alert System devices belonging to four American TV stations. These devices are designed to alert the public of local weather emergencies such as tornadoes and flash floods. The hooligan used the Emergency Alert System to tell the world about zombies rising from their graves and invading living districts (a clear reference to the Walking Dead series). The Federal Communication Commission found the stations liable for the broadcast intrusion as they did not protect their devices properly from unauthorized remote access.

In 1987 Chicago TV stations also suffered from malicious actions but they were found to be not liable as there had been no actual hack: the culprit simply generated a more powerful signal at the same frequency.

The impacted radio stations are responsible for the Furcast incident happening to a large extent. They had to use reliable passwords and protect their devices with the help of firewalls. It depends on the Federal Communication Commission if they are found to be liable or not.

As for you and me, this incident once again reminds us how dangerous connected devices are and why you should not leave the default password on your newly-bought IP-camera.