PxPixel
Ensure the Security of Your RDS - Radio World

Ensure the Security of Your RDS

What can we learn from recent security attacks or compromises of RDS encoders?
Author:
Publish date:

This is one in a series of Radio World articles about how to “Get the Most Out of RDS.” See past articles at
radioworld.com/rds.

At the Radio Show in September 2014, the National Radio Systems Committee adopted NRSC-G300-B, and the document was published formally on the NRSC website in December. A copy of the NRSC-G300-B guideline can be obtained at www.nrscstandards.org.

For those not familiar with the NRSC-G300-B guideline and its recent updates, it is a reference document for engineers to understand both high- and low-level details of the RDS specifications and hardware, and how to best configure radio stations for optimum RDS performance and compatibility across an array of receivers. I am currently the chair of the NRSC RBDS Usage Working Group that produces the G300 document, and I am one of many contributors of its contents.

Image placeholder title

Fig. 1: Not recommended. The RDS encoder is directly attached to the Internet.SECURITY
The recent “B” revision of this document features a new Section 4.6 “RDS Encoder Security” that station engineers and those performing IT duties for radio stations should review. This could essentially be seen as a formal industry response to address small-scale security attacks or compromises of RDS encoders, which have typically involved the station transmitting false or profane information in the PS or RT fields. There have been several published reports in the media about these occurrences, by Radio World and others. Private reports indicate there have been unpublished attacks as well.

RDS encoders are designed to be easy to configure and access. How to address these devices is widely known. Instruction manuals for most RDS encoders are available online to assist engineers installing these devices. This same information is available to people who may be looking to compromise an RDS signal.

The documented compromises were of RDS encoders directly attached to the Internet without any protection devices, such as a firewall or router. However, the discussion in NRSC-G300-B analyzes many other avenues for compromise, both physical and logical that are worthy of your consideration and review.

The amount of items covered in G300-B is too lengthy to go into detail here; I invite you to download a copy and read it for yourself. However, I think it would be helpful to go into detail on the most common attack method of the known RDS encoder compromises in 2013–2014.

PRIVATIZE

Image placeholder title

Fig. 2: Recommended. The RDS encoder is protected by firewall or VPN router. As RDS use has become more common in automobile radio receivers, many stations have been seeking low-cost ways of implementing dynamic RDS solutions. In some cases, stations looking to do this on a budget may not be able to purchase a new STL that offers a private, secure TCP/IP connection from the studio to the transmitter site.

Many studio locations already have a connection to the Internet. In some cases, an inexpensive Internet connection to the transmitter site is added, the RDS encoder is placed on the Internet, and the studio sends updates to the RDS encoder over the Internet. Many of the known compromised RDS encoders were configured as depicted in Fig. 1.

In these situations, it is recommended that the transmitter site be supplied with a VPN-based router, and a VPN be established from the studio to the transmitter site, offering a secure means of communicating with the RDS encoder along with other equipment that may be located at the site, as depicted in Fig. 2. The creation of the VPN privatizes the RDS encoder.

However, in situations where cost is a major concern, it is strongly recommended a low-cost firewall be installed at the transmitter site. When searching for this type of firewall, you are looking for a firewall that supports port forwarding with IP source restrictions. Not all inexpensive firewall/routers support this feature, so it is best to do some research and perhaps some experimentation. Using a similar configuration topology as Fig. 2, the firewall would be configured to only permit and pass through traffic from known sources to known ports. NRSC-G300-B Table 3 covers this specific configuration. Keep in mind, going this route may well be inexpensive, but it is still prone to attacks.

The best level of protection is by locating the RDS encoder on a private network. If you are using an Internet connection delivered to the site, the best method to extend a private network to the site is via VPN.

There are many more security considerations explored in the guideline. I strongly recommend you consider implementing as many security recommendations outlined in NRSC-G300-B as possible.

Alan Jurison is a senior operations engineer for iHeartMedia’s Engineering and Systems Integration Group. He also chairs the NRSC RDS Usage Working Group. He holds several SBE certifications including CPBE, CBNE, AMD and DRB. His opinions are not necessarily those of iHeartMedia, the NRSC or Radio World.

Related