Vulnerability had been known for nearly a year, flared up shortly after inauguration.
A certain model of Low Power FM radio transmitter with known vulnerabilities has been targeted in a new wave of radio-station hacks this week. Armed with an exploit that was known all the way back in April 2016, hackers have commandeered terrestrial radio stations—and in apparent unity, the hackers all decided to broadcast the YG and Nipsey Hussle song “Fuck Donald Trump.”
News of the song’s unexpected playback on radio stations began emerging shortly after Trump’s inauguration on January 20, and the hack has continued to affect LPFM stations—a type of smaller-radius radio station that began to roll out after the FCC approved the designation in 2000. Over a dozen stations experienced confirmed hacks in recent weeks, with more unconfirmed reports trickling in across the nation. Thus far, the stations’ commonality isn’t the states of operation or music formats; it’s the transmitter.
Specifically, hackers have targeted products in the Barix Exstreamer line, which can decode many audio file formats and send them along for LPFM transmission. If that sounds familiar, that’s because Ars Technica reported on this kind of hack last year. As Barix told its products’ owners in 2016, Exstreamer devices openly connected to the Internet are incredibly vulnerable to having their remote login passwords discovered and systems compromised. The company recommends using full, 24-character passwords and placing any live Internet connections behind firewalls or VPNs.
Neither that April alert nor the immediate post-inauguration burst of hacking activity spurred enough Barix Exstreamer users into taking action, leaving a population of FCC-approved LPFM stations vulnerable to invasion. In one case, reported by Heat Street, a radio station operator admitted that her transmitter had been left connected to the Internet without any remote-access password enabled.
Reports have yet to connect any dots on why the exploit has apparently focused on the YG and Nipsey Hussle song—though it is fairly popular, having recently finished in the Top 15 of the Village Voice‘s 2016 Pazz & Jop music critics’ poll. Plus, the uncensored lyrics and topical nature are certainly more likely to catch people’s attention, especially when played on stations with formats like oldies, classic rock, and Tejano.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.