Radio World has received several reports of apparent hacks on broadcast stations using Barix equipment.
The Swiss broadcast manufacturer specializes in AoIP products, some of which are used by radio stations for studio-transmitter links. The incidents were reported as taking place between Aug. 29 and Labor Day for some stations, according to posts on a private broadcast engineering forum on Facebook.
Fletcher Pride, vice president of Family First Radio Network, first alerted Radio World to the attacks on Sept. 7. He said, during the attacks, compromised boxes streamed explicit content seemingly promoting an X-rated website along with a fake EAS message.
“You can see the full number of Barix devices that are public [here],” Pride wrote in a separate email on Wednesday. “At the moment, there are 600–650 publicly-accessible devices worldwide with around 300 in the U.S. This includes all Barix devices, not just the Exstreamers. If Barix would make their devices not broadcast their presence prior to being signed into, the kind of attack that has happened would be much harder as the attackers would not know where to attack.”
Two stations that have reportedly experienced recent hacks include KRLL(AM) in California, Mo., and KPOG(LP) in Des Moines, Iowa.
Bob Carr, president of KPOG in Des Moines, told Radio World that a listener called his wife on Sept. 4, explaining that they heard music over the air on 102.9 FM with obscene lyrics, interspersed with a false EAS message. Religious teachings from Doug Batchelor were scheduled to be airing, which is what Carr was hearing inside KPOG’s studio.
Carr said he was able to remotely shut down the station’s transmitter until he could investigate further. KPOG uses a Barix Exstreamer, which was password-protected but had its port forwarded for outside access. Carr said the hacker had gained access to the Exstreamer and changed its password, so he was forced to perform a factory reset of the device. The station is now back on the air normally.
KPOG has since changed all passwords on station essentials, and Carr plans to install a VPN for access to the Exstreamer.
KRLL reports that its Barix box was broken into twice in the span of a week. Both times it was password protected, according to the station.
This is not the first time Barix equipment has been hacked. In April 2016, the company published a notice saying that some of its devices had been hijacked to broadcast unauthorized content. At the time, Radio World reported that a specific model of IP router at the stations — a Barix Streaming Client that can be used to distribute audio via IP — was accessed improperly and used to broadcast a sexually explicit podcast at several stations, media outlets and at least one broadcast association.
In October 2016, to prevent such incidents, Barix advised broadcasters to take several precautionary steps, including setting a new, 24-character password and ensuring that all devices were secured behind firewalls and not openly connected to the internet.
That advice from nearly 10 years ago still stands true today, Barix said.
In a 2017 “application note,” Barix emphasized that its devices are secure. “All except a few products run on a proprietary operating system that is highly unlikely to be the target of mainstream viruses,” it wrote. “Secondly, they provide additional security settings within the firmware. Barix recommends reviewing your security settings and to address any potential weaknesses.”
On Wednesday, Barix told Radio World that newer-generation Barix products like the Exstreamer M400 have a unique password already set, avoiding the need for users to configure a password manually.
Additionally, Barix said it has long been partnered with StreamGuys — even before the 2016 hack — to offer its “Reflector” service. According to the company, Reflector helps stations establish secure network connections for AoIP transport and offers an “affordable, cloud-managed alternative to the traditional satellite approach.”
Speaking to the 2016 incident, Barix continued: “One reason why the Barix device was attractive was that these devices were probably running the Barix streaming client firmware instead of the STL firmware that was especially developed for radio broadcasters.”
The company said customers with questions or concerns are encouraged to contact Barix through its customer support portal.
[Related: “Now Can I Forget About Cybersecurity?“]
To improve network security and avoid hacks, many longtime engineers are quick to recommend the use of a virtual private network (VPN).
If a station cannot get their Barix inside a VPN, however, Pride said there are two options: “One would be to remove the port forward in the router. If access is needed by the station, they can open the port back up and close it again as soon as they are finished. The other would be to change to using a private IP address entirely and, for access, put a computer inside the network running a remote viewing software such as DWService or Anydesk. This will give the station access to the local network through the browser of that computer while having virtually no outside exposure.”
Pride said Raspberry Pi computers work great for this as they are ultra reliable and always come back online after power failures. “That being said, neither of these options would work if a station is using a Barix Instreamer on a private IP network pushing the content to an Exstreamer on a public IP network.”
In wake of this news, Shane Toven, director of technology at Frandsen Media, published a Radio World commentary saying: “While there are a small number of exceptions, very seldom does a piece of broadcast equipment need a direct public IP address (or port forwarding through a firewall). The key here is using things like VPN tunnels and access control lists.”
Toven also wrote that while manufacturers must consider security in their products designs, “most of the blame lies squarely on broadcasters for (still) not following common-sense cybersecurity practices.”
[Read more cybersecurity tips from Toven here.]
This is a developing story.
