View Full Version : KIFT (Lift 106)/Breckenridge, CO Hacked By Pirate Podcaster
Colorado Media Newsroom
April 5th, 2016, 11:49 AM
From KCNC:
Listeners of the Breckenridge-based 106.3 FM The Lift radio station heard strange ramblings from an unknown person along with a lot of foul language on Tuesday morning.
According to listeners who contacted the CBS4 Mountain Newsroom, the hoax or hack continued for several hours.
Someone was able to take over the IP address that sends the station’s signal out, so what was heard over the air was nowhere near what the station thought it was broadcasting, and they had no way to control it as station engineers were locked out.
The radio station told CBS4 the hack was only on the booster site in Silverthorne and that normal programming content was broadcast over the main transmitter.
Employees with the radio station told CBS4 they are “extremely troubled and sorry for what has happened and what people have had to listen to this morning.”
The radio station is owned by Always Mountain Time Network that also has corporate offices based in Denver, according to the company’s website.
“Fortune 10 companies can be the victims; you know, little always mountain time KIFT in Breckenridge can be a target,” said Dan Cowen, KIFT Director of Programming. “As horrified as our listeners were, believe me, we were a whole lot more horrified.”
What ended up on air were the voices of a couple of men from upstate New York who run an online podcast on FurCast & XBN. CBS4 reached out to them and they claim to have no involvement in the hack and posted a statement on the website.
“We have been made aware of a reported incident where FurCast & XBN content was syndicated without our knowledge on a terrestrial FCC licensed FM radio station. We are deeply sorry to hear about this inappropriate incident * we are a group of friends who publish audio and video entertainment, wherein it is marked for containing explicit and inappropriate content * We are working with law enforcement to investigate this incident. We have preserved all access log files,” the statement reads.
The alleged hack did not impact the online streaming broadcast. The radio station said they conducted an internal security audit to try to understand how the problem occurred.
“It was a slow-motion car crash and it something where we really value — especially family * to have them wake up to this is beyond horrifying,” Cowen said.
For the small station, hundreds of calls and emails from upset listeners has them vowing to make sure something like it can’t happen again.
A Federal Communication Commission investigation is likely but it’s hard to track IP addresses and who actually did the hack.
more (http://denver.cbslocal.com/2016/04/05/mountain-radio-station-signal-apparently-hacked/)
Colorado Media Newsroom
April 5th, 2016, 05:03 PM
From All Access:
ALWAYS MOUNTAIN TIME LLC Top 40 KIFT (LIFT 106)/BRECKENRIDGE, CO listeners were greeted this morning by profans ramblings from an unknown hacker for several hours, according to reports from the DENVER CBS LOCAL website.
The radio station believes the hacker is a pirate podcaster from upstate NEW YORK who may have taken control of the signal at the transmitter site near KREMMLING, CO.
Employees with the radio station told reporters they are “extremely troubled and sorry for what has happened and what people have had to listen to this morning.”
Engineers are working to remedy the situation. The station owner, ALWAYS MOUNTAIN TIME, has corporate offices based in DENVER according to the company’s website. The alleged hack appears to have impacted only the over-the-air broadcast, not the online streaming broadcast.
more (http://www.allaccess.com/net-news/archive/story/152282/kift-lift-106-breckenridge-co-hacked-by-pirate-pod?ref=rss)
Ghost of Timber Dick
April 5th, 2016, 08:59 PM
Maybe they (and all stations) should have to have a live person in the station during all broadcast hours. THIS is an example of what can happen when stations are automated 24/7.
I'm amazed that NOBODY bothered to shut the signal down for so long.
spikey
April 5th, 2016, 11:52 PM
Maybe they (and all stations) should have to have a live person in the station during all broadcast hours. THIS is an example of what can happen when stations are automated 24/7.
I'm amazed that NOBODY bothered to shut the signal down for so long.
i'm going to go out on a limb and guess that the password of "changeme" on a barix wasn't.. changed..
also guessing the transmitter remote control doesn't work or doesn't exist, and/or there's no local facilities to generate audio, necessitating someone driving lead-footedly up from denver to breck.
Colorado Media Newsroom
April 6th, 2016, 06:49 AM
From Radio Insight:
Some listeners of Always Mountain Time Hot AC “Lift FM” 106.3 KIFT Kremmling CO and other stations across the country got a surprise on Tuesday morning when the stations began airing the audio of an explicit podcast about furry sex.
KIFT was not the only station to be affected. 104.3 KXAX-LP Livingston TX, an AM in Denver and a national syndicator that wished to not be identified were also affected by what seems like a directed botnet attack seeking access to as many public facing Barix while then locking out the stations. Engineers at the stations needed to do a hard reset of the devices to regain control.
Always Mountain Time released the following statement about their hijacking:
In regards to our station KIFT this morning, what we know at this time is that a Studio Transmitter Link for our station, which is Internet enabled, was hacked earlier today. For approximately an hour and a half, programming from a podcast unrelated to our normal programming was broadcast on a booster of KIFT. The main signal of KIFT was not affected, but the booster station was broadcasting the podcast programming, some of which was inappropriate for broadcast use. Our station was unable to regain control over the STL until the station engineer actually traveled to the remote transmitter site, and reprogrammed the system from that location.
We use industry standard closed systems for our STL and are unsure how this was able to happen. We are working with equipment manufacturers and auditing the security of our own systems to avoid any repeats of this incident. Unfortunately, we live in a day and age where hacking is becoming and increasingly bigger problem. We would urge other broadcast outlets to be aware of the possibilities and to take precautions. We sincerely apologize for to our listeners for the content of the broadcast and are doing everything possible to ensure that is doesn’t happen again.
KXAX-LP also issued an apology to listeners.
This morning, our remote encoders that send audio to our transmitter site was hacked. We want to apologize to anyone that was listening in this morning. At about 9am we were notified that a program was playing on the station that did not originate from this studio. We found out that our equipment had been hacked and was broadcasting a podcast or a stream from an unknown source. We were able to eventually get the problem resolved. But still want to apologize to anyone who may have heard the programming.
The staff of Furcast, the show that was broadcast over these stations, were quick to release a statement that they had nothing to do with their audio being used by the hijackers and they were cooperating with all law enforcement agencies investigating the incidents.
We have been made aware of a reported incident where FurCast & XBN content was syndicated without our knowledge on a terrestrial FCC licensed FM radio station. We are deeply sorry to hear about this inappropriate incident. FurCast and XBN content is made freely available on iTunes, our website and our YouTube channel for anyone to download and distribute. We are a group of friends who publish audio and video entertainment, wherein it is marked for containing explicit and inappropriate content.
We are working with law enforcement to investigate this incident. We have preserved all access log files.
INSTANT INSIGHT: Every station better be doing routine inspections of their setups to ensure this doesn’t happen to them. Change all your passwords and make them as strong as possible.
more (https://radioinsight.com/blog/headlines/105762/whos-hijacking-station-signals/)
jtr115
April 6th, 2016, 09:58 PM
Furcast recently updated its message:
https://furcast.fm/2016/04/malicious-syndication-press-release/
UPDATE 2016-04-07 0230 UTC
Multiple news outlets have reported incidents involving our content being maliciously syndicated on terrestrial radio stations around the world. After reviewing log files on the XBN streaming server, we have discovered large numbers of IP addresses attempting to connect to our archive stream. Our archive stream is an automated playout server that streams a playlist of our latest 10 episodes. It normally runs 24/7 for use with our website and our iOS & Android mobile apps. We took down the archive stream as soon as we heard of the incident with KIFT-FM, however hundreds of connections continued to spam the server with requests. We also noticed that a majority of the connections made had the user agent “Barix Streaming Client.” Barix is a well known manufacturer of audio streaming hardware. Their products are commonly sold to the broadcast and retail industries. They are commonly used for PA systems, studio-to-transmitter links, retail store environments, on-hold music and so on. We examined a small sample of the IP addresses and looked them up. All of the ones we sampled were listed on the website Shodan; a web-based search engine that searches the internet for devices, instead of websites.
We gathered a list of all the IP addresses used and blocked via our server’s firewall. We then brought our archive playlist stream back up under a new name & new stream URL. So far we have had no new connections on the renamed stream, although we are finding what appear to be new IP addresses attempting to connect to the old stream.
tjfC
The above image is a bandwidth usage graph of our streaming server. Normally little is used during the week until our main streams for the show go live on the weekend. As you can see around 0600 Eastern Daylight Time (1200 UTC), the bandwidth started growing at a steady pace. At just after 1430 EDT our stream was disabled and the bandwidth drops. This fits with what we observed in server log files where more and more Barix streaming devices continued to hit our server with requests. The bandwidth then jumps again when we brought our stream up for testing. We broadcasted test audio containing beeps during this time and did not air normal content.
We now understand how our audio stream was pulled and what was pulling it, but we still have unanswered questions.
Why was our stream used? Our icecast stream is one of millions around the world. We do produce content for a limited audience, that contains profanity and adult content, but otherwise have no understanding of why our stream was maliciously syndicated without our knowledge. We are not sure if our stream was picked deliberately, or at random (our stream is publicly listed on the main Icecast Streaming Directory).
What was the scale of this attack on our system? Would this have grown if our stream was not halted? The gradual growth of bandwidth suggests that more and more connection requests flooded in at a steadily growing pace. We are not sure if this is consistent with botnet behaviour.
What was the scale of this for everyone else? We also do not know who may have been affected by this. There were hundreds of IP addresses connecting to our streaming server. We are aware of the incident at KIFT-FM only because we were contacted by a journalist at Denver CBS. After searching many news feeds and Twitter trends, we have seen evidence of several other affected radio stations, but are otherwise unsure of the scale or extent. Barix streaming devices have many use cases beyond just the broadcast industry.
To summarize what we do know:
The incident seems to affect only Barix hardware. It could be an exploit of Barix hardware or a botnet attempting to log into whichever devices it could to then change the source stream URL. There are hundreds of results on Shodan when searching for Barix devices. We advise anyone that could be or are victims of this exploit to change login credentials and make sure any broadcast workflow equipment is not easily internet accessible.
The suspicious connections to our streaming server seemed to start Tuesday, April 5th, around 0600 EDT and continued until approximately 1430 EDT, when this was brought to our attention and we shut down the stream.
The XBN staff and everyone involved in the FurCast show would like to sincerely apologize to whoever may have been affected by these incidents. We as an organization are a group of like-minded friends producing content for a niche audience. Our content is discovered by individuals who specifically seek what we produce, and they do not normally come into contact with it via public means. We have no interest in being discovered by a mainstream audience. We are deeply disturbed to hear of these incidents and all the negative implications it has caused. If anyone from the media, or law enforcement would like additional information please feel free to email us at the address listed on our contact page. All of the information released above has been gathered using server log files and public media reports online. We will continue to monitor our streaming server for any suspicious connections, and will take down our stream if needed.
We may update this page with additional information if it becomes available.