The broadcast signals for four US radio stations were hacked last Tuesday, hijacked by somebody who swapped the regular Taylor Swift-esque fare of pop music for a 90-minute, raunchy podcast about “furry” sex.
FurCast – the furry culture group behind the podcast said it is absolutely not responsible for the broadcast signal takeover.
In a post published Wednesday and updated Thursday, the group says it produces content for a niche audience and has “no interest in being discovered by a mainstream audience.”
According to FurCast, after it learned that its podcast had been inflicted on unwilling radio stations for about 90 minutes, it checked its logs and found that somebody had used the Shodan search engine for internet-connected devices to come up with an index of unsecured Barix audio streaming devices.
Shodan crawls its way around the internet, connecting to likely services, logging what comes back, and creating a searchable index of the results.
It’s been used to index internet-connected baby monitors, for one. Another target has been improperly configured MongoDB databases, like those at MacKeeper, Sanrio’s Hello Kitty, kid site uKnowKids and Hzone, a dating app for HIV-positive people, among others.
In this case, the radio hacker built a database of unsecured Barix devices, then broke into as many devices as possible, connected the devices to FurCast’s stream, and locked out the stations.
Livingston, Texas-based country music station KXAX found itself broadcasting raunchy ramblings on Tuesday and said on its Facebook page that the devices that send its audio to a transmitter site had been hacked.
Jason Mclelland, owner and general manager of the KXAX Radio Group, sent this emailed comment to Ars Technica:
All in all the FurCast aired for an hour, possibly two. During that time they talked about sex with two guys and a girl in explicit details and rambled on with vulgar language not really having much of a point to the podcast. I’m assuming there was no real reason for this hack.
On the same day, the signal for Colorado-based radio station KIFT was also forced into broadcasting the podcast.
The station published a post that explained that an internet-enabled Studio Transmitter Link had been hacked and its station engineers had been locked out.
Engineers at both stations had to travel to remote transmitter sites to do a hard reset in order to regain control.
According to radio industry news site RadioInsight.com, two more targets that didn’t want to be identified were involved: an AM station in Denver and a national syndicator.
The Michigan Association of Broadcasters issued an advisory urging Barix users to make sure their passwords are up to snuff.
This appears to have been in the planning stages for some time by the person doing it.
Apparently they have been accumulating passwords for some time. MAKE SURE that your password is of sufficient strength! Barix Boxes will take up to 24 characters…. In at least two cases six character passwords were cracked.
We couldn’t agree more.
Here’s a short, sweet video that shows you how to cook up just such a nice, strong password that will help keep your internet-connected devices off of somebody’s Shodan list of targets.