An Illinois high school student is taking credit for hacking into his school’s IPTV system, accessing every display on the network and Rickrolling the entire school district and its 11,000 students.
Although a harmless prank, the ease with which a high school student with limited resources was able to fully control the display network should give integrators and their vendors a heightened sense of awareness when it comes to cybersecurity.
Minh Duong, a student of Township High School District 214 in Illinois – the state’s second-largest school district – wrote in a blog that he hijacked every networked display in every school to broadcast “Never Gonna Give You Up” by Rick Astley, which itself has become a popular meme and internet prank.
The hacked displays included anything connected to the network: TVs, projectors and a video wall displaying the lunch menu.
Can we PLEASE give it up to the cyber genius of a senior that managed to respectfully prank the entire district by Rick Rolling thousands during passing periods & left a good note for the #Classof2021 👍 Bravo & use those smarts to change the world! #seniorprank #d214rickroll pic.twitter.com/dKZt5PPYlD
— Fashion Chef (@FashionChef) May 1, 2021
According to Duong, he responsibly disclosed the vulnerabilities to IPTV vendor Exterity and the school districts IT staff, which helped him avoid any discipline for the hack.
The Exterity devices in the network question were AvediaPlayer receivers, AvediaStream encoders and AvediaServer management devices, he wrote.
The high school student said had “complete access” to the IPTV system since freshman year, but waited until April 30 of this year to pull his senior prank.
Duong writes that he first figured out how to control all projectors at once via the SSH access one each receiver as the command-and-control channel. He developed a simple shell script that would serve as a staged payload to be uploaded to reach receiver ahead of time.
“This script contained various functions that could execute requests to the web interface locally on the receiver,” Duong wrote. “Thanks to the increased flexibility from the payload, I could also back up and restore receiver settings to the filesystem after the rickroll was over.”
Duong details how he looped commands to keep displays on and keep the stream running if someone attempted to power off the display or mute it.
To gain initial access, Duong said he discovered several default passwords, but also a privilege escalation vulnerability that was present in all of Exterity’s products, giving him root access across all systems. As far as details on those bugs, Duong responsibly did not disclose any details.
To set up a custom video stream to play in real-time, Duong needed to broadcast multicast traffic, but only the AvediaStream encoders of AvediaSevers could do that. To test the stream, Duong said at night when the building was empty, he remotely connected to one of the PCs in the computer lab with the front camera facing the projector.
“Then, I would record a video to test if the projector displayed the stream correctly!” he wrote, along with a video displaying a UDP redirect issue through the AvediaStream encoders that added too much latency. That was fixed by broadcasting to multicast directly from an AvediaSerer using ffmpeg.
Three days before the prank, a scan discovered a “new IP range full of IoT devices” that was a recently installed bell system, mostly comprised of speakers. Each speaker connected to a server for their respective school and were locked behind a login page, but one sever had default credentials, allowing Duong and his peers to modify the bell schedule and upload custom audio tones.
From there, the high schoolers discovered that the compromised server performed weekly backups of its configuration to an external SMB file share, the credentials of which were the same default credentials. Each backup included an SQL dump of account usernames and password hashes.
It turns out that other bell systems also had backup servers that used default credentials, which allowed Duong to take full control over the bell schedules across the entire school district’s six schools.
Duong and his peers staged the prank to avoid disrupting classes and final exams, with the Rickroll stream running as the first block bell after a 20-minute countdown is displayed. Instead of the final dismissal bell, the stream is played again.
Penetration reports were sent to the district’s IT staff anonymously and Duong and his colleagues debrief the district via a Zoom call, but after he graduated. He revealed himself while his friends remained anonymous.
The pro AV community has long needed to get in line with modern cybersecurity principles, and default passwords on a display network won’t cut it.