If you have ever thought about the many IoT devices that live on networks at your organization, you should seriously look into the security of those products and segment those networks. At the very least, change the default passwords.
That’s the lesson an Illinois high school district learned when a student hacked into his school’s IPTV system, accessing every display on the network and Rickrolling the entire school district and its 11,000 students.
Although a harmless prank, the ease with which a high school student with limited resources was able to fully control the display network should give technology managers a heightened sense of awareness when it comes to the cybersecurity of their audio and video networks.
Minh Duong, a student of Township High School District 214 in Illinois – the state’s second-largest school district – wrote in a blog that he hijacked every networked display in every school to broadcast “Never Gonna Give You Up” by Rick Astley, which itself has become a popular meme and internet prank.
The hacked displays included anything connected to the network: TVs, projectors and a video wall displaying the lunch menu.
According to Duong, he responsibly disclosed the vulnerabilities to IPTV vendor Exterity and the school districts IT staff, which helped him avoid any discipline for the hack.
The Exterity devices in the network question were AvediaPlayer receivers, AvediaStream encoders and AvediaServer management devices, he wrote.
The high school student said had “complete access” to the IPTV system since freshman year, but waited until April 30 of this year to pull his senior prank.
Duong writes that he first figured out how to control all projectors at once via the SSH access one each receiver as the command-and-control channel. He developed a simple shell script that would serve as a staged payload to be uploaded to reach receiver ahead of time.
“This script contained various functions that could execute requests to the web interface locally on the receiver,” Duong wrote. “Thanks to the increased flexibility from the payload, I could also back up and restore receiver settings to the filesystem after the rickroll was over.”
Duong details how he looped commands to keep displays on and keep the stream running if someone attempted to power off the display or mute it.
Read Next: Patch These Windows Vulnerabilities Now
To gain initial access, Duong said he discovered several default passwords, but also a privilege escalation vulnerability that was present in all of Exterity’s products, giving him root access across all systems. As far as details on those bugs, Duong responsibly did not disclose any details.
To set up a custom video stream to play in real-time, Duong needed to broadcast multicast traffic, but only the AvediaStream encoders of AvediaSevers could do that. To test the stream, Duong said at night when the building was empty, he remotely connected to one of the PCs in the computer lab with the front camera facing the projector.
“Then, I would record a video to test if the projector displayed the stream correctly!” he wrote, along with a video displaying a UDP redirect issue through the AvediaStream encoders that added too much latency. That was fixed by broadcasting to multicast directly from an AvediaSerer using ffmpeg.
Three days before the prank, a scan discovered a “new IP range full of IoT devices” that was a recently installed bell system, mostly comprised of speakers. Each speaker connected to a server for their respective school and were locked behind a login page, but one sever had default credentials, allowing Duong and his peers to modify the bell schedule and upload custom audio tones.
From there, the high schoolers discovered that the compromised server performed weekly backups of its configuration to an external SMB file share, the credentials of which were the same default credentials. Each backup included an SQL dump of account usernames and password hashes.
It turns out that other bell systems also had backup servers that used default credentials, which allowed Duong to take full control over the bell schedules across the entire school district’s six schools.
Duong and his peers staged the prank to avoid disrupting classes and final exams, with the Rickroll stream running as the first block bell after a 20-minute countdown is displayed. Instead of the final dismissal bell, the stream is played again.
Penetration reports were sent to the district’s IT staff anonymously and Duong and his colleagues debrief the district via a Zoom call, but after he graduated. He revealed himself while his friends remained anonymous.
A version of this article originally appeared on our sister site Commercial Integrator.