Hacked repeater brings furry podcast FurCast to FM radio
Are furry podcasts unsuitable for breakfast? FM listeners in Colorado sure thought so!
On the morning of April 5, Denver-area FM station KIFT 106.3 "The Lift" suffered a broadcast signal intrusion on a relay station serving a remote valley. Instead of Bruno Mars, listeners in Breckenridge, Colorado were treated to Paradox Wolf, Fayroe and friends.
Denver station KCNC-TV "CBS 4" contacted The Lift for an explanation, and were told they send programing from their studio to four transmitters via the Internet. Somehow, the Breckenridge repeater K258AS (99.5 FM) was compromised, and someone had spliced in Furcast Episode 224 in place of The Lift.
Thankfully, the primary FM and webcasts of both The Lift and Furcast.FM / XBN were unaffected, but a large amount of NSFW programming, including swearing, was broadcast without censorship for several hours, with The Lift's engineers unable to kill the studio/transmitter link remotely.
On FurCast's end, their server saw a gradual rise in connections to its podcast archive (used on its website and iOS and Android apps for listeners) from 06:00 AM EDT onwards, until they were able to temporarily disable access at 02:30 PM EDT. The archives have since come back online at a new address, with a long list of blocked IP addresses to prevent a recurrence.
While hilarious, this is a very serious matter, as stations have lost their broadcast licenses over this type of situation in the past. CBS 4 and The Lift contacted FurCast, who were unaware of this "malicious syndication" of their programming, and who contacted the relevant authorities.
FurCast's release suggested that "multiple terrestrial radio stations around the world" were impacted, and that there may be an exploit in the Barix Streaming Client, used by many broadcasters (including The Lift), or that a brute-force search or default password was used to gain access.
The latter seems to be supported by an Michigan broadcast engineers' advisory quoting a member of the Alabama Broadcasters Association, who emphasized that low-strength passwords may have been a factor:
This appears to have been in the planning stages for some time by the person doing it – apparently they have been accumulating passwords for some time. MAKE SURE that your password is of sufficient strength! Barix Boxes will take up to 24 characters…. In at least two cases six character passwords were cracked.
Although this situation is being investigated (complete with the FCC pouring over the server access logs sent to them by FurCast and The Lift), it may be difficult to find the true culprits. Meanwhile, The Lift has begun an internal security audit.
Update: Texas's KXAX was also affected by the hack, and a report was published in the 10PM news on Houston's KHOU 11 TV.
Update 2 (8 Apr): Various news outlets, such as Ars Technica and the BBC, have now covered this topic.
About the author
Ringtailed Fox — read stories — contact (login required)a freelance editor & writer and Fox-raccoon hybrid from Windsor, Ontario, Canada, interested in bicycle riding, reading and video games
Comments
Oh man, what a tease of a story. The other half I want to know is contained within "While hilarious, this is a very serious matter..."
I'm imagining construction workers scratching their heads and asking each other "what's yiffing?" And why this valley... maybe there was an old fashioned feud with the next valley over, and we can wait for the other shoe to drop.
Well, you can't have vulgar language on the radio, at least in the USA. It's what nearly got a ton of stations carrying Howard Stern (like Detroit's WRIF 101.1 "The Riff") yanked off the air. It's why he went to Sirius XM.
~ The Legendary RingtailedFox
Note that this wasn't an exploit or even (potentially) a brute force against these Barix boxes. They were all on the Internet with no auth or the default password (changeme). I doubt there was any need to brute force the passwords on these things. (Although, I imagine the passwords set on most of these would have been terrible, so it's possible that was done as well).
If you have a specific source for that, it'd be cool; I've added a default in as a possibility, however the engineer's advisory suggests that "changeme" was not used, as that is seven characters. The manual notes it is stored as plaintext in an INI file. o_o
Hmm, this was from someone who apparently knew about it. But there definitely were Barix's out there with NO auth. (Have a look on shodan.io, you'll find a few)
I own a Barix box, and sure enough after I did a factory reset I can gain full access to its configuration. Confirmed!
I think I should explain things a bit further here, because technical stuff like this can be confusing. On February 11, 2013, there was a similar broadcast signal intrusion event at FOUR television stations across the United States: WBUP (ABC 10) and WNMU (Northern Michigan University PBS) in Marquette, Michigan, KENW PBS in Portales, New Mexico, and Great Falls, Montana's KRTV (CBS/Montana Television Network).
Each station was hacked by the same individual triggering their Emergency Alert System devices, causing them to break from regular programming to air a video/audio/text notice (usually this is done during Tornado Warnings or Hurricane/Tropical Storm Warnings as they make landfall) of zombies waking from their graves and invading the viewing areas (a reference to The Walking Dead). Ultimately, the Federal Communication Commission found the stations liable for the broadcast intrusion because they did not adequately secure and encrypt their systems from unauthorized remote access.
This is unlike when WGN-TV and WTTW-TV in Chicago were hacked in 1987 they were found to not be liable, as there was no faulty/hacked devices, just someone overpowering the station's radio signal with their own, at the transmitter. So, the answer to the question "are KIFT and KXAX-LP going to be held responsible for this?" is "MAYBE." It's all up to the FCC. Whoever did this is certainly going to be held liable, of course, but broadcast and cable/satellite television stations must have secure facilities.
In the past (though as recently as the early 2000s), most stations used either direct cable links for their Studio-Transmitter Link, though many also employ direct microwave links using the top edge of the UHF band (around 960-1140 MHz) or the High Frequency Band (20-45 MHz, around and just above where Shortwave and Citizens Band Radio are used). In addition, most stations encrypted their analog audio feeds at the studio and decrypt them at the transmitter, though analog encryption is still fairly simple and easy to hack. With TELEVISION, the switch to digital operations rendered this sort of intrusion far more difficult (instead of an analog feed, it's digital, and given robust encryption).
We're obviously not done with this story, so I'll be updating at least once more, with a follow-up from KHOU 11.
~ The Legendary RingtailedFox
Reading between the lines of the more mainstream media coverage, I can't tell if they're more insulted about the fact they had to listen about furry sex, or the fact that they listened to two hours of furry sex talk, and it was boring.
Italics mine. Duh.
lol.... well, that's one way to remove the stigma the fandom has: show detractors the bear and naked truth :P (pun intentional)
~ The Legendary RingtailedFox
Great comment from a non-furry on another site:
Either they are exaggerating the effect it had on listeners or their listeners are of the same intellectual level that gets stuck on an escalator for four hours because the power went out.
"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~
FurCast "a hobbyist group dedicated to furry sex"? Really?
They put more work into the tech side of the article than bothering to actually contact and talk to the Furcast hosts. Which is sad, because Paradox is really into tech. He's put a lot of work and money into the equipment for the show's networking and audio quality; he can talk about it pretty passionately.
I tried using Ars Technica's contact form to point out the show is about satirical commentary with a risqué sense of humor, and that if they'd bothered to check, they'd have also noticed Furcast does an annual charity-raising show, and that perpetuating a stereotype doesn't help things.
Yeah, the Ars Technica coverage was… not ideal. I mean, it's not like FurCast is KnotCast. The BBC did slightly better.
Not that I would endorse this as a means of drawing attention to furries, but a part of me wonders if anyone will discover the fandom and decide to join as a result of these incidents.
Plenty did for CSI. I think the online coverage is more likely to cause it than the radio itself, though.
I believe Andrew W.K. joined the fandom after discovering it... made a wolf fursona called the "Party Animal"
~ The Legendary RingtailedFox
My 2 cents is he's lying.
You know, trying to fit in to remain popular.
Well, I'll be...
Yes, because if there's one surefire way to become popular in this world, it's join the furry fandom.
He did something similar for the brony subculture (and I think I've seen a photo of him hanging out with juggalos?). I think more than actually "joining" any of these fandoms, he just likes "weird" people and is showing support(?)
Being cynical about Andrew WK? Grrr! >:( That is one guy who made a career out of being passionate rather than being passionate about his career. When he likes something he really likes it. I love him.
Considering he only made 2 songs that people know about, I say he should try harder.
Well, I'll be...
He made a great persona, have you seen the guy? I can't see anything about the guy without smiling. Check out his advice for how to be a great musician. http://www.villagevoice.com/music/10-times-andrew-wk-gave-the-best-advice-8064270
Patch, we all know that Andrew WK hasn't existed since he was replaced by an actor in 2005.
Should have broadcasted Clawcast (clawcast.com). While dated, it would at least be good.
Well, I'll be...
Max is somewhere out there, laugjung
I bet something similar will happen again. There's a lot of new low power FM translators and booster stations (usually running 250 watts or less) going on the air all over America now. A lot of them use Barix boxes with ISDN or Wi-Fi internet because it's a cheap way to send audio from their studios. If they dont have strong passwords they are all sitting ducks for hackers.
I think this should be considered something of a big deal to the government and FCC.
No, not because of this particular incident, because what if could have very easily been something worse than uncensored furry talk.
What if ISIS decided to hack into airwaves to spread propaganda?
America should consider this a warning to protect their airwaves, because if this could happen, then it certainly can happen with more nefarious content.
Of all the possible things a militant or terrorist group could attack America with, propaganda is what you're worried about?
About five minutes of that, and ... we'd probably just roll our eyes and turn off our radios and be all like, "Man, these stupid shock jock morning radios; I wish they'd just play some music, because this sketch or whatever they're doing is, like, racist and not funny."
If we gave ISIS a free propaganda channel, it would be a nice safe boondoggle to keep them too busy to kill people while everyone ignores it. Propaganda is mothers milk to the american consumerist public, everyone's a glutton for their favorite depending on whether it's the fun or boring kind.
Check out some of the ridiculous North Korean propaganda. That hit-you-over-the-head stuff only works when you have captives who dont have any choice to watch something else.
Or maybe in european countries having problems with accommodating immigrants into their inconsistently socialized systems. America's too wild west for that, the few terorists that might happen here are more about hiding in plain sight than broadcasting intentions to a disaffected populace.
I'm super into the idea of a lurid midnight movie crossing over a criminal heist plot with a furry convention, so the bandits use fursuits for cover. Has to be well researched though. And then their plan is messed up when they become accidental popufurs. There would be unexpected coming-outs, geek tests and rave drugs, awkward costume switches, and a gauntlet of hugs and dance comps. Is that an SPH, or does it have something to do with where you keep a gun in a fursuit? Who switched the bulletproof vest with the EZ cool? Is that an undercover cop or just an extremely amorous admirer? What happened to the gold and why is the briefcase full of Bad Dragon toys?
If you can work that last paragraph into a good storyline, you might just win yourself an Ursa Major award.
Regardless, we can always look back on the greater things we have done: http://en.wikifur.com/wiki/Charity#Timeline_of_charity_donations
Post new comment