We started hearing the reports right after Labor Day Weekend concluded. Quickly, social media spread with reports of “Barix hacks.”
Several radio stations — including an LPFM that we confirmed in Iowa — unintentionally ran audio that contained explicit lyrics and delivered bogus messages sent out over their Emergency Alert Systems.
The common thread? The stations used equipment manufactured by Barix to send audio from their studios to their transmitter sites.
For some observers, it was more evidence of how collectively behind the industry is in cybersecurity measures. For others, they wondered how devices — so integral to a station’s audio airchain — could be so vulnerable?
Johannes Rietschel, the chief technology officer at Barix, spoke with Radio World after the most recent round of infiltrations for his take on the situation.
A blessing and a curse
Rieteschel has been here before.
He founded the Switzerland-based company in 2001 and it has since sold approximately 1.4 million audio over IP devices worldwide since. He remembers the early days.
“20 years ago there was not much talk about IT security,” Rietschel recalled.
He estimates that “tens of thousands” of the second-generation Barix Instreamer encoding devices and the Exstreamer decoding devices, released in 2003, are still in use at stations.
It was the perfect pair for stations looking to evolve from legacy 950 MHz studio-to-transmitter links.
For Rietschel, it was almost a happy accident. “Some smart people in the radio industry figured out that pairing the devices together would solve a problem,” he said.
Radio stations have heralded Barix’s ease of setup and cost-effectiveness. Rietschel certainly enjoys radio’s support — but he knows the reliability of the devices the company sells can be both a blessing and a misnomer.
In 2015, several high-profile breaches of Barix devices led to an FCC investigation.
The devices have never been marketed as plug-in-play, all-in-one appliances, Rietschel said.
“The Exstreamers are at their core, a generic IP audio decoder,” he said.
So after the most recent round of breaches, Rietschel is underscoring the need for operators to take the time to ensure their Barix devices are secured — ideally through a VPN.
“The Barix devices should never be fully exposed to the internet,” he stated flatly.
Cuts like a knife
Today, Barix is still based in Switzerland but most of its production and engineering take place in Portugal. That’s where Rietschel lives now.
He has studied computer science and software engineering for more than 40 years. His experience taught him that any device with an open port accessible from the outside internet is vulnerable.
“I remember talking to someone at a trade show and they told me, ‘if I can’t even remember the IP address to my network, how would someone find it?’” Rietschel recalled.
Of course, there are plenty of automated ways for the nefarious to locate exposed devices.
All a hacker needs is an IP address and operating port of a device. As a result, publicly accessible devices are, in essence, a ticking cybersecurity timebomb.
If an entity gains access to a station’s Barix, its audio airchain can be completely compromised, as reported over Labor Day weekend, including the station’s Emergency Alert System feed.
[Related: “Your Station’s Cybersecurity Matters Most Now”]
Even worse, a total distributed denial of service attack, where a system’s resources are so overwhelmed that a network is rendered unusable, is possible with such a compromise.
Barix considered implementing a protocol that required written signed confirmation from a customer purchasing one of its devices. But the company cannot control the vibrant resale market, and decided against such a stipulation.
“There’s no such thing as a driver’s license required to put devices onto the internet,” Rietschel said.
The CTO had plenty of analogies for the situation at hand.
“Compare it with sharp kitchen knives you need to cook,” he continued. “If you are in a household with children and leave the knives out on the counter for convenience, what kind of risk are you taking?”
Stay unlisted
Rietschel recalled that nine years ago, automated search engines could find about 1,400 Barix devices exposed to the public internet, most without a password.
Some suggested Barix configure its Instreamers and Exstreamers such that, even if they get indexed by the website Shodan, for instance, the names of the devices — which highly suggest radio station equipment — would not be revealed.
Rietschel said that’s just masking the problem at hand.
Most of the devices that are on Shodan’s list are identified by SNMP, meaning that they are fully exposed to the internet.
Rietschel compared configuring an AoIP device in this manner to making a home printer available to the world, only to be surprised when hackers drained all the ink.
He considered a corrective patch to disable SNMP in the devices, but concluded that there would be no gain.
“Putting a device’s configuration interface into the public internet is an absolute no-go, whatever the device or purpose is,” he said.
How to secure your station
Rietschel said that a combination of factors — scant station technical staff, budget cuts and some high-profile previous breaches — are contributing to the recent breaches.
For a smaller station that is struggling with IT security, the first thing he recommends is talking with whoever it was that set up the station’s Barix combo in the first place.
If the system was successfully paired — not a trivial task, Rietschel indicated — then the station has the technical capacity to secure the devices behind a VPN, even if they are logically paired on two separate LANs for the studio and transmitter.
In lieu of in-house support, Barix offers two solutions for security:
Reflector
Rietschel pointed to the service that the company launched with Streamguys more than 15 years ago, called the Barix Reflector Service. It matches authenticated Barix decoders and encoders and forwards the stream between them so that both can be protected firewalls and stay invisible.
While Reflector costs a modest monthly fee, he said it was designed with this exact security situation in mind.
Stream pull
If you’d prefer not to opt for Reflector, he recommends Barix’s “stream pull” method, known as BRTP, which the company designed more than 15 years ago and has since supported.
The BRTP configuration allows the Exstreamer decoder to be set on a dynamic IP address behind a firewall and pull a stream from an Instreamer in the studio, as opposed to the usual configuration the other way around.
The studio still needs to have a public IP address, Rietschel said, but only one specific port needs to be forwarded, and a firewall can limit access so it is not detectable on a site like Shodan.
Barix also has offered a “next generation” of audio devices for about seven years, which are equipped with recent security features. Yet, even with the newer models, Rietschel’s core warning remains absolute:
“I would recommend never putting any IoT device on the public internet,” he emphasized.
Technical fluency
For years, the radio industry has preached being nimble in multiple areas — podcasting, marketing and video, for example.
Technical knowledge, Rietschel pleaded, should be at the top of the list.
“Maybe it’s a younger staffer who is more fluent in this area,” he explained. “The next generation often deals with IT security every day, and for them, it’s no different than securing a network at their home.
Your station deserves the same treatment,” he said.
At the end of day, whether it be at a radio station, network operations center or your own home, firewalls and VPNs are available for a reason, Rietschel concluded.
Comment on this or any article. Email [email protected].
