I’ve hesitated to write this article for over a year because I don’t want to go giving the ‘bad guys’ any ideas. Now the cat is out of the bag, so I might as well do a write-up. Various broadcast tech Facebook groups and mailing lists have been going nuts for a couple of days now.

Broadcasters… it’s time to secure your internet connected devices.

Tools such as Shodan make it remarkably easy for anyone around the world to easily locate internet-connected broadcast devices. Pop in a manufacturer’s name or device model in the search box, and you’ll probably find something. Pop in known banner text or port numbers, and you’ll probably find even more.

What is available?

We’re talking Transmitter Remote Controls, Studio Transmitter Links, Codecs, Monitoring Systems, Audio Consoles, Playout Systems, RDS Encoders, Phone Systems and so much more.

In this recent hack, Barix boxes were targeted (these are used as low-cost studio to transmitter links). Barix hardware a fairly easy target, due to the sheer volume of these devices in use around the world. However, any device could be targeted. Next it’ll be your favourite audio codec from Tieline, Telos or Comrex. Then it’ll be transmitter remote controls. Then your cloud-connected playout system (remote voice-tracking, anyone?).

So many of these devices are exposed to everyone on the public internet, probably via simple port forwarding or non-NAT’ed internet connections. Publicly exposed. Where anyone can get access to it. Better yet, much of this equipment is still using the default password from the manufacturer. If not, then it probably has a simple password (perhaps the station’s frequency) or a manufacturer’s back-door (this is surprisingly common).

Even if the passwords have been changed, it probably doesn’t matter. If someone wants to crack your HTTP basic-auth equipped device, they probably will be able to brute-force it. Most broadcast devices don’t allow you to change the username, so that’s a massive order of magnitude less combinations to try. Most systems aren’t rate-limited. Many don’t log failed login attempts. Basic-auth has low overheads so it’s a fairly easy process to use an off the shelf tool and run a dictionary attack. My guess is that the recent Barix hack was done this way.

How to secure internet-connected devices

Thankfully, securing your internet-enable devices is fairly easy. Here’s some tips:

  1. Use a firewall
    Cisco, Ubiquiti and Mikrotik all make great firewalls. They are also pretty cheap and easy to use. Put one directly after your ISP’s router and before any other devices.
  2. Enable a strong VPN in your firewall
    Most firewalls support a variety of VPN Servers. Make sure you enable one and select the strongest possible encryption.
  3. Only forward ports to the public internet that are absolutely necessary
    Hint: if you have a VPN, then port forwarding probably isn’t necessary.
  4. Use IP Whitelisting for any Port Forwards
    If you have to forward ports, only allow connections from known good IP addresses (such as your other station connections). Even if you whitelist an entire ISP’s range, it significantly lowers the potential for attack.
  5. Use strong passwords
    Make them long, and use all sorts of special characters. You can use this calculator to see how quickly a password could be cracked with a basic brute-force attack.
  6. Disable any identifying banners
    Most equipment identifies the software it is running. Try and disable this, or change it to something random. At the very least, make sure your device’s hostname is obscure.
  7. Don’t register Reverse DNS with a known hostname
    If your station’s name is in the Reverse DNS entry, then it becomes a much easier target. Speak to your ISP about changing this to something generic.
  8. Physically Secure your Devices
    If someone got access to your equipment rack or transmitter building, would you know about it? Do you have alarms and access controls? Do you log access, even from other tenants sharing the same building? Many telco’s put reed switches on the doors to all their cabinets, so it’s very obvious when someone gets in.
  9. Isolate equipment on different subnets and VLANs
    Your WiFi doesn’t need to share a subnet. Nor does your office network, phone system, playout/automation system, email servers or hypervisor management network. Break everything up into different subnets, and setup very strict routing policies between them.
  10. Conduct Regular Audits
    Go back over your equipment configuration once in a while and check it for mistakes.
  11. Update firmware
    Make sure you’re using the latest stable firmware on all devices, especially those that guard your perimeter.
  12. Don’t boast
    It’s tempting to share photos of your equipment with others, perhaps on a Facebook group. I strongly recommend against doing this, as it lets the whole world know what equipment you are using. If your adversaries know your gear, it becomes significantly easier to get in. Most commercial data centres around the world have a strict no-photos policy – you should apply this policy to your own sites.
  13. Educate your users about phishing
    If your users have even the slightest access to your audio or management networks, then they pose a threat. A simple phishing campaign can provide attackers with full access to a user’s computer or user account, which can be used to launch a simple network scan to reveal further holes and attack possibilities.

Shoot the Messenger?

There’s been a tendency by some to blame Shodan for enabling these hacks. Shodan is merely a tool used by information security researchers (and a handful of bad guys) to find devices on the internet. If Shodan didn’t exist, it’d be fairly trivial to use other tools such as NMap (or some custom-built software) to scan for appropriate devices on the internet.

Shoran doesn’t even scan every port. If someone wants to attack broadcasters, they can look up the manual for common pieces of gear and write a quick little scanner to target those ports. When you narrow it down to one port, and a handful of ISPs in a specific country, you quickly realise it’s a trivial task to run a scanner.

Take the time to think about security

Security isn’t a job to be performed by a consultant as a once-off. It’s part of everything we do as broadcast professionals. Take the time to learn about the different vulnerabilities, and start thinking like your worst adversary would.

How are you weak? How are you vulnerable? If you don’t take the time to find out, someone else will.