When Township High School District 214 in Illinois got rickrolled all at once across its six different schools just before graduation, it was more than a meticulously executed senior prank.
Cybersecurity star-in-the-making and recent high-school graduate Minh Duong found, and was able to exploit, a zero-day bug in the district’s Exterity IPTV system. The goof was received in good humor by school administrators, luckily for Minh and his cohorts, and the bug was reported to Exterity.
But so far, the company hasn’t responded to Minh’s disclosure or said anything about possible mitigations, he said.
“If I don’t end up hearing back from them in my next few attempts at contact, I will publish the exploit that I used,” he told Threatpost. “CVE-2021-42109 has been reserved for the Exterity IPTV privesc vulnerabilities, with my blog post being listed as a reference.”
“The Big Rick,” as the prank was called, came off beautifully — hijacking every TV, projector and monitor on the district’s IPTV system to play Rick Astley’s classic video for “Never Gonna Give You Up.”
Projectors and TVs across the Township district are all connected, and can be controlled through a blue box with three Exterity tools: The AvediaPlayer receiver, the AvediaStream encoder and the AvediaServer for management.
“These receivers include both a web interface and an SSH server to execute the serial commands,” he wrote. “Additionally, they run embedded Linux with BusyBox tools, and use some obscure CPU architecture designed for IoT [internet of things] devices called ARC (Argonaut RISC Core).”
The monitors can be centrally controlled to broadcast and receive things like morning announcements; with his exploit, Minh had full access and control.
“Since freshman year, I had complete access to the IPTV system,” he said. “I only messed around with it a few times and had plans for a senior prank, but it moved to the back of my mind and eventually went forgotten.”
Until he had the idea for “the Big Rick.” There’s even a video to document the moment:
“This is where I state the disclaimer again: never access other systems in an unauthorized manner without permission,” he wrote.
So far, there’s no indication that Threatpost could uncover that the bugs have been fixed by Exterity, which was recently acquired in April by IP video-tech company VITEC. Neither company responded to Threatpost’s inquiries by press time. According to its company site, Exterity is used across the world to deliver broadcast-quality television over IP networks.
The news comes as IP video vendors are increasingly under attack by threat actors.
For instance, three bugs were found in IP video surveillance systems from Axis communications earlier this month (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988), which researchers said impacted every device run on the company’s embedded operating system.
Last summer, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about a supply-chain flaw in ThroughTek security cameras that left them open to unauthorized access.
As for Minh, he’s studying at University of Illinois at Urbana-Champaign this semester, and said he’s interested in pursuing a career in infosec.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.