Hacked repeater brings furry podcast FurCast to FM radio
Are furry podcasts unsuitable for breakfast? FM listeners in Colorado sure thought so!
On the morning of April 5, Denver-area FM station KIFT 106.3 "The Lift" suffered a broadcast signal intrusion on a relay station serving a remote valley. Instead of Bruno Mars, listeners in Breckenridge, Colorado were treated to Paradox Wolf, Fayroe and friends.
Denver station KCNC-TV "CBS 4" contacted The Lift for an explanation, and were told they send programing from their studio to four transmitters via the Internet. Somehow, the Breckenridge repeater K258AS (99.5 FM) was compromised, and someone had spliced in Furcast Episode 224 in place of The Lift.
Thankfully, the primary FM and webcasts of both The Lift and Furcast.FM / XBN were unaffected, but a large amount of NSFW programming, including swearing, was broadcast without censorship for several hours, with The Lift's engineers unable to kill the studio/transmitter link remotely.
On FurCast's end, their server saw a gradual rise in connections to its podcast archive (used on its website and iOS and Android apps for listeners) from 06:00 AM EDT onwards, until they were able to temporarily disable access at 02:30 PM EDT. The archives have since come back online at a new address, with a long list of blocked IP addresses to prevent a recurrence.
While hilarious, this is a very serious matter, as stations have lost their broadcast licenses over this type of situation in the past. CBS 4 and The Lift contacted FurCast, who were unaware of this "malicious syndication" of their programming, and who contacted the relevant authorities.
FurCast's release suggested that "multiple terrestrial radio stations around the world" were impacted, and that there may be an exploit in the Barix Streaming Client, used by many broadcasters (including The Lift), or that a brute-force search or default password was used to gain access.
The latter seems to be supported by an Michigan broadcast engineers' advisory quoting a member of the Alabama Broadcasters Association, who emphasized that low-strength passwords may have been a factor:
This appears to have been in the planning stages for some time by the person doing it – apparently they have been accumulating passwords for some time. MAKE SURE that your password is of sufficient strength! Barix Boxes will take up to 24 characters…. In at least two cases six character passwords were cracked.
Although this situation is being investigated (complete with the FCC pouring over the server access logs sent to them by FurCast and The Lift), it may be difficult to find the true culprits. Meanwhile, The Lift has begun an internal security audit.