When Township High School District 214 in Illinois got rickrolled all at once across its six different schools just before graduation, it was more than a meticulously executed senior prank.
Cybersecurity star-in-the-making and recent high-school graduate Minh Duong found, and was able to exploit, a zero-day bug in the district’s Exterity IPTV system. The goof was received in good humor by school administrators, luckily for Minh and his cohorts, and the bug was reported to Exterity.
But so far, the company hasn’t responded to Minh’s disclosure or said anything about possible mitigations, he said.
“If I don’t end up hearing back from them in my next few attempts at contact, I will publish the exploit that I used,” he told Threatpost. “CVE-2021-42109 has been reserved for the Exterity IPTV privesc vulnerabilities, with my blog post being listed as a reference.”
Exterity provided a statement to Threatpost:
“Exterity is aware of the issue regarding the network incident on April 30, 2021 at Illinois School District 214 and is in contact with the relevant parties to understand and address the reported vulnerabilities and issues. Prior to the blog posting on 14 October, Exterity was not notified by District 214 of any issue nor network security concerns related to the Exterity products on their district-wide network.
“As standard development practice, Exterity does extensive testing and verification on all deployed products and software. Best practice deployment guidelines strongly encourage changing default passwords on installation of products, as default passwords are one of the major contributing factors to large-scale security compromises. Exterity offers service agreements for customers to stay up to date on software upgrades and security patches.
“Whilst this particular incident did not have any malicious intent, the company takes the security of its solutions extremely seriously, is looking at this as a matter of urgency, and will action any necessary steps.”
The Big Rick
“The Big Rick,” as the prank was called, came off beautifully — hijacking every TV, projector and monitor on the district’s IPTV system to play Rick Astley’s classic video for “Never Gonna Give You Up.”
Projectors and TVs across the Township district are all connected, and can be controlled through a blue box with three Exterity tools: The AvediaPlayer receiver, the AvediaStream encoder and the AvediaServer for management.
“These receivers include both a web interface and an SSH server to execute the serial commands,” he wrote. “Additionally, they run embedded Linux with BusyBox tools, and use some obscure CPU architecture designed for IoT [internet of things] devices called ARC (Argonaut RISC Core).”
The monitors can be centrally controlled to broadcast and receive things like morning announcements; with his exploit, Minh had full access and control.
“Since freshman year, I had complete access to the IPTV system,” he said. “I only messed around with it a few times and had plans for a senior prank, but it moved to the back of my mind and eventually went forgotten.”
Until he had the idea for “the Big Rick.” There’s even a video to document the moment:
“This is where I state the disclaimer again: never access other systems in an unauthorized manner without permission,” he wrote.
So far, there’s no indication that Threatpost could uncover that the bugs have been fixed by Exterity, which was recently acquired in April by IP video-tech company VITEC. According to its company site, Exterity is used across the world to deliver broadcast-quality television over IP networks.
IP Video Cybersecurity Attacks
The news comes as IP video vendors are increasingly under attack by threat actors.
For instance, three bugs were found in IP video surveillance systems from Axis communications earlier this month (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988), which researchers said impacted every device run on the company’s embedded operating system.
Last summer, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about a supply-chain flaw in ThroughTek security cameras that left them open to unauthorized access.
As for Minh, he’s studying at University of Illinois at Urbana-Champaign this semester, and said he’s interested in pursuing a career in infosec.
This story was updated at 2 p.m. ET on Oct. 18, 2021, with Exterity’s statement.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.