Listeners to at least three radio stations and one (unidentified) radio network got quite an earful last week when their programming was hijacked by an unknown hacker. The intruder, who used a search engine of internet-connected devices to find unprotected audio transfer equipment in radio stations/networks’ airchains, was able to compromise several of them because the targeted stations/networks either never changed the equipment’s default password, or they used a weak password that was easily bypassed.

The hacked stations all broadcast episodes of a comedy podcast devoted to furries, a subculture of people who like to dress up (and oftentimes, have sex) in animal costumery. “FurCast” is defintiely not-safe-for-work material, and the stations spent more than an hour airing them. According to the podcast’s producers, they noted a spike of “hundreds of connections” in podcast-download traffic last week, all of which were coming from hacked radio stations/networks, and were able to cut off the OTA simulcasts by changing the IP address from which podcast downloads originate.

The hack itself was pretty simple, though it’s thought that it took some time to put together. The longest and most labor-intensive effort was to use the Interet-of-Things search engine Shodan to compile a list of broadcast audio equipment accessible from the public ‘net. Then it was just a task of querying those boxes to see how many used the default password, and among those who’d changed their passwords, how many could be cracked. Once the target-list was complete, all the hacker did was send commands to log into those boxes, directing them to download the FurCast archive, and then changed the passwords on those boxes to prevent station/network engineers from accessing them and correcting the problem remotely.

With the right tools, all of which are easily accessible, this hack was well within the skillset of your average script-kiddie.

This is not a new concern. Three years ago, a similar attack was conducted on both radio and television stations; that one compromised Emergency Alert System (EAS) equipment which was directly accessible to the public Internet and whose default passwords had not been changed. Two years ago, several radio stations were infected with ransomware, which encrypted all their computers until the victim-stations either paid a ransom or restored from backups.

While both hacking-vectors are different in their execution, their primary tactic still relies on the weakest link in the chain: human indifference to cybersecurity. And the implications of any given attack can have unintended consequences. Part of this is the fault of un- or undertrained radio station staff delegated to set up and maintain the airchain, which itself is a very strong indicator of just how far the ranks of qualified and experienced broadcast engineers have been decimated in the industry’s decades-long quest to squeeze increased profit by cutting costs to the bone. Unintended consequences are a bitch.

Just for giggles, I ran some Shodan searches on the most typical brand-name equipment used to stream audio to/from radio stations and their transmitters. No surprise that my search turned up anywhere from dozens to thousands of results, indicative of various brands’ relative strength in this particular market. Obviously, many broadcasters still seem to be oblivious to the importance of cybersecurity and the need for its immediate adoption. Complicating passwords and keeping important equipment behind firewalls are good starting points, but the overall problem’s much more complicated than that.