Rickroll Grad Prank Exposes Exterity IPTV Bug
By Kathi on Oct 15, 2021 | 04:35 AM IST
IPTV and IP video security is
increasingly under scrutiny, even by high school kids.
When Township High School
District 214 in Illinois got rickrolled all at once across its six different
schools just before graduation, it was more than a meticulously executed senior
prank.
Cybersecurity
star-in-the-making and recent high-school graduate Minh Duong found, and was
able to exploit, a zero-day bug in the district’s Exterity IPTV system. The
goof was received in good humor by school administrators, luckily for Minh and
his cohorts, and the bug was reported to Exterity.
But so far, the company hasn’t
responded to Minh’s disclosure or said anything about possible mitigations, he
said.
“If I don’t end up hearing
back from them in my next few attempts at contact, I will publish the exploit
that I used,” he told Threatpost. “CVE-2021-42109 has been reserved for the
Exterity IPTV privesc vulnerabilities, with my blog post being listed as a
reference.”
“The Big Rick,” as the prank
was called, came off beautifully — hijacking every TV, projector and monitor on
the district’s IPTV system to play Rick Astley’s classic video for “Never Gonna
Give You Up.”
Projectors and TVs across the
Township district are all connected and can be controlled through a blue box
with three Exterity tools: The AvediaPlayer receiver, the AvediaStream encoder
and the AvediaServer for management.
“These receivers include both
a web interface and an SSH server to execute the serial commands,” he wrote.
“Additionally, they run embedded Linux with BusyBox tools, and use some obscure
CPU architecture designed for IoT [internet of things] devices called ARC
(Argonaut RISC Core).”
The monitors can be centrally
controlled to broadcast and receive things like morning announcements; with his
exploit, Minh had full access and control.
“Since freshman year, I had
complete access to the IPTV system,” he said. “I only messed around with it a
few times and had plans for a senior prank, but it moved to the back of my mind
and eventually went forgotten.”
Until he had the idea for “the
Big Rick.” There’s even a video to document the moment:
“This is where I state the
disclaimer again: never access other systems in an unauthorized manner without
permission,” he wrote.
So far, there’s no indication
that Threatpost could uncover that the bugs have been fixed by Exterity, which
was recently acquired in April by IP video-tech company VITEC. Neither company
responded to Threatpost’s inquiries by press time. According to its company
site, Exterity is used across the world to deliver broadcast-quality television
over IP networks.
The news comes as IP video
vendors are increasingly under attack by threat actors.
For instance, three bugs were
found in IP video surveillance systems from Axis communications earlier this
month (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988), which researchers said
impacted every device run on the company’s embedded operating system.
Last summer, the Cybersecurity
and Infrastructure Security Agency (CISA) issued a warning about a supply-chain
flaw in ThroughTek security cameras that left them open to unauthorized access.
As for Minh, he’s studying at
University of Illinois at Urbana-Champaign this semester, and said he’s
interested in pursuing a career in infosec.