A string of radio hijacks exposes a deeper weakness
pWhat looked like scattered onair pranks increasingly resembles a security problem rooted in exposed audio gear and old trust assumptionsppA story about a radio station feed being hijacked popped up in my Facebook feed today and it immediately felt familiar Not because this kind of thing is common exactly but because it is no longer unusualppI have been hesitant to make too much of these incidents One station gets strange audio another airs fake alertstyle tones a clip circulates online and the whole thing risks sounding more like prank culture than a serious security issue Even after the FCC warned in November about a recent string of intrusions tied to exposed broadcast audio equipment it was easy to treat each new episode as a oneoff No single incident by itself looked like a major operational disruption Taken together though they are starting to look less like isolated stunts and more like a persistent weakness in the broadcast chainppThat is what caught my attention about the reported hijack of 1077 The Bay in Michigan A Facebook post circulating Monday said the Alpenalicensed station was hijacked around 6 pm on April 5 with listeners hearing spedup Disney music fake alertstyle audio and then silence I was able to confirm the post and the stations identity through FCC records though not the exact timeline duration or method of the intrusionppEven with those caveats the larger pattern is no longer speculative In a Nov 26 public notice the FCC said it had seen a recent string of cyber intrusions against radio broadcasters in which attackers hijacked studiototransmitter links and aired obscene material along with actual or simulated Emergency Alert System tones The agency said threat actors were often accessing improperly secured Barix equipment and reconfiguring it to carry attackercontrolled audio instead of station programmingppWhat makes the Barix angle unsettling is how mundane it is This does not look like some dazzling new exploit It looks like the kind of preventable IT failure that shows up everywhere a box exposed to the internet weak credentials sloppy deployment and nobody thinking too hard about it because it is just a piece of broadcast gear Except this is not just a router in a back office It is equipment that can put attackercontrolled audio onto a licensed radio signalppThat is when the story stops being funny A station gets hijacked strange audio goes out over the air a clip bounces around online and it is easy to file the whole thing under internetage weirdness But when regulators are warning that the same kind of exposed audio gear keeps turning up in these incidents the pattern starts to look a lot less like prank culture and a lot more like neglected infrastructureppThe strongest recent example came in Houston ESPN 975 KFNC was hacked during a live NFL broadcast in November and station management said the problem surfaced while the outlet was relying on backup transmission equipment after a power outage Radio Ink reported that general manager Todd Farquharson said the attackers exploited the backup Barix setup and the FCC later cited that Texas incident as part of the basis for its warningppDays earlier a similar incident hit Radio IQ in the Richmond area The station said its backup audio signal was hacked on Nov 19 and carried unauthorized material over 897 FM after silence triggered the backup feed Radio World later reported that the compromised device was a Barix Exstreamer 100 on the backup pathppSmallermarket stations have described the same kind of problem Radio World reported that KPOGLP in Des Moines aired obscene lyrics and a false Emergency Alert System message in September after its Barix Exstreamer was accessed and its password changed forcing a factory reset The same report said KRLL in California Missouri was hit twice in one week during the Labor Day periodpp
Chip in once
If this reporting helped you a onetime tip helps cover hosting tools and future investigations
pp
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone
ppWhat elevates all of this above station gossip is the publicsafety angle The FCC has warned that misuse of actual or simulated EAS attention signals can erode trust in emergency alerts and it has reminded broadcasters that they must notify the commission within 24 hours after discovering a false EAS tone transmission Reuters summarizing the FCC action said the agency specifically tied recent Texas and Virginia incidents to unsecured Barix gearppI remember attending a DEF CON talk in 2008 about the Emergency Alert System and the odd risks that emerge when broadcasters trust what they hear from upstream sources At the time it felt like one of those unsettling but remote warnings about a brittle piece of legacy infrastructureppWhat stuck with me was the basic premise EAS was built around a broadcast daisy chain with stations monitoring designated upstream sources and relaying valid alert data onward The danger was never just a fake message on one signal It was the possibility of downstream equipment reacting to it Matt DCFLuX Kricks talk Flux on EAS framed the tones and header data not as mere sounds but as operational signaling inside a system designed to trust what it heard from approved sourcesppRereading the slides now what stands out is how concrete Kricks argument already was He walked through EAS as a live operational system how the headers worked how stations monitored designated upstream sources and how state and local plans governed what got relayed That was not just true in 2008 The underlying relay logic is still part of the system nowppThat trust model exists for a reason It comes out of a Cold War civildefense mindset when the urgent problem was how to get a presidential warning or attack notice onto the air quickly and keep it moving through the broadcast network It was built for resilience and reach not for a world of internetexposed devices and modern cyber abuse That history still lingers in the architectureppI reached out to Krick after I went looking for that old presentation and came up empty His description of the modern internetfacing side of broadcast infrastructure sounded a lot like every other exposed online service constant scanning constant probing constant noise from wouldbe intruders He told me it is getting real bad with port scanning and stuff like that When he recently put a new audio streaming server online for his stations he said it logged about 90 login attempts on the first day before he had even advertised the new IP addressppThat is what makes the Barix issue feel bigger than a string of onair pranks A compromised Barix could open a modern path into a much older trust system Once an attacker can control what goes out over a licensed signal the danger is no longer just a few minutes of chaos on the air It is the possibility that other parts of the broadcast chain might still respond to that signal in ways they were never designed to defend That does not mean every compromise would trigger a wider relay effect But it does mean the old weakness no longer feels purely theoreticalppBarix and industry outlets have framed the problem as one of insecure deployment not some newly discovered universal flaw in the hardware itself Radio World reported that Barix told users some receiver devices had been exposed directly to the public internet with weak or no password protection and a Barix executive separately said those devices should never be fully exposed online That distinction matters This appears to be at least in large part a story about poor security hygiene around critical broadcastpath equipmentppAnd that is the real issue now If attackers can get into the audio chain at will and if parts of the broadcast ecosystem still inherit trust assumptions from an earlier era how long before someone tries something more ambitious than a prankppA writer intelligence analyst and technology enthusiast passionate about the connection between the digital and physical worlds
His views expressed here do not necessarily reflect those of his employer and he writes here as an individualpp
Local reporting later found the July 2025 attack knocked out email and parking kiosks and ended in a 500000 insurancebacked settlement
pp
Officials said the city isolated the threat while Leon County cut a network connection as a precaution and warned of possible outages tied to shared applications
pp
Officials say the threat was detected early and contained before it could become a more serious incident
pp
City says missing records inaccessible systems and wiped devices found after an administrative transition prompted requests for state and federal help
pp
District officials said an outside actor accessed some systems prompting a shutdown that canceled classes child care and afterschool programs Monday
pp
How we use documented disruption and DDCIT to focus on US incidents that actually break services
pp
How cyber breach statements reassure the public without saying much at all
pp
This is an opinion column from DysruptionHub publisher Joseph Topping about attribution and local news coverage of cyberattacks It departs from our usual incident reports and analysis
Golf Manor Ohio
pp
How a Reddit theory CTI echo chamber and a vanished article show why cyber incidents need verification
pp
A year of lost records stalled home sales and hard lessons in local government cybersecurity
ppppGreat Check your inbox and click the linkppSorry something went wrong Please try againpp
Two World Leaks claims surfaced as transit systems in Blacksburg and Los Angeles reported similar riderinformation disruptions but no public evidence has yet established a shared cause
pp
How we use documented disruption and DDCIT to focus on US incidents that actually break services
pp
How cyber breach statements reassure the public without saying much at all
pp
This is an opinion column from DysruptionHub publisher Joseph Topping about attribution and local news coverage of cyberattacks It departs from our usual incident reports and analysis
Golf Manor Ohio
pp
City says missing records inaccessible systems and wiped devices found after an administrative transition prompted requests for state and federal help
pp
The company said it isolated affected services after a cybersecurity event disrupting alarm communications for dealers and monitored accounts nationwide
pp
The archive provider said an intruder encrypted some systems cutting off historical newspaper access for partner libraries and subscribers
pp
District says classes continue as teams monitor and restore communications and data systems
p
Chip in once
If this reporting helped you a onetime tip helps cover hosting tools and future investigations
pp
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone
ppWhat elevates all of this above station gossip is the publicsafety angle The FCC has warned that misuse of actual or simulated EAS attention signals can erode trust in emergency alerts and it has reminded broadcasters that they must notify the commission within 24 hours after discovering a false EAS tone transmission Reuters summarizing the FCC action said the agency specifically tied recent Texas and Virginia incidents to unsecured Barix gearppI remember attending a DEF CON talk in 2008 about the Emergency Alert System and the odd risks that emerge when broadcasters trust what they hear from upstream sources At the time it felt like one of those unsettling but remote warnings about a brittle piece of legacy infrastructureppWhat stuck with me was the basic premise EAS was built around a broadcast daisy chain with stations monitoring designated upstream sources and relaying valid alert data onward The danger was never just a fake message on one signal It was the possibility of downstream equipment reacting to it Matt DCFLuX Kricks talk Flux on EAS framed the tones and header data not as mere sounds but as operational signaling inside a system designed to trust what it heard from approved sourcesppRereading the slides now what stands out is how concrete Kricks argument already was He walked through EAS as a live operational system how the headers worked how stations monitored designated upstream sources and how state and local plans governed what got relayed That was not just true in 2008 The underlying relay logic is still part of the system nowppThat trust model exists for a reason It comes out of a Cold War civildefense mindset when the urgent problem was how to get a presidential warning or attack notice onto the air quickly and keep it moving through the broadcast network It was built for resilience and reach not for a world of internetexposed devices and modern cyber abuse That history still lingers in the architectureppI reached out to Krick after I went looking for that old presentation and came up empty His description of the modern internetfacing side of broadcast infrastructure sounded a lot like every other exposed online service constant scanning constant probing constant noise from wouldbe intruders He told me it is getting real bad with port scanning and stuff like that When he recently put a new audio streaming server online for his stations he said it logged about 90 login attempts on the first day before he had even advertised the new IP addressppThat is what makes the Barix issue feel bigger than a string of onair pranks A compromised Barix could open a modern path into a much older trust system Once an attacker can control what goes out over a licensed signal the danger is no longer just a few minutes of chaos on the air It is the possibility that other parts of the broadcast chain might still respond to that signal in ways they were never designed to defend That does not mean every compromise would trigger a wider relay effect But it does mean the old weakness no longer feels purely theoreticalppBarix and industry outlets have framed the problem as one of insecure deployment not some newly discovered universal flaw in the hardware itself Radio World reported that Barix told users some receiver devices had been exposed directly to the public internet with weak or no password protection and a Barix executive separately said those devices should never be fully exposed online That distinction matters This appears to be at least in large part a story about poor security hygiene around critical broadcastpath equipmentppAnd that is the real issue now If attackers can get into the audio chain at will and if parts of the broadcast ecosystem still inherit trust assumptions from an earlier era how long before someone tries something more ambitious than a prankppA writer intelligence analyst and technology enthusiast passionate about the connection between the digital and physical worlds
His views expressed here do not necessarily reflect those of his employer and he writes here as an individualpp
Local reporting later found the July 2025 attack knocked out email and parking kiosks and ended in a 500000 insurancebacked settlement
pp
Officials said the city isolated the threat while Leon County cut a network connection as a precaution and warned of possible outages tied to shared applications
pp
Officials say the threat was detected early and contained before it could become a more serious incident
pp
City says missing records inaccessible systems and wiped devices found after an administrative transition prompted requests for state and federal help
pp
District officials said an outside actor accessed some systems prompting a shutdown that canceled classes child care and afterschool programs Monday
pp
How we use documented disruption and DDCIT to focus on US incidents that actually break services
pp
How cyber breach statements reassure the public without saying much at all
pp
This is an opinion column from DysruptionHub publisher Joseph Topping about attribution and local news coverage of cyberattacks It departs from our usual incident reports and analysis
Golf Manor Ohio
pp
How a Reddit theory CTI echo chamber and a vanished article show why cyber incidents need verification
pp
A year of lost records stalled home sales and hard lessons in local government cybersecurity
ppppGreat Check your inbox and click the linkppSorry something went wrong Please try againpp
Two World Leaks claims surfaced as transit systems in Blacksburg and Los Angeles reported similar riderinformation disruptions but no public evidence has yet established a shared cause
pp
How we use documented disruption and DDCIT to focus on US incidents that actually break services
pp
How cyber breach statements reassure the public without saying much at all
pp
This is an opinion column from DysruptionHub publisher Joseph Topping about attribution and local news coverage of cyberattacks It departs from our usual incident reports and analysis
Golf Manor Ohio
pp
City says missing records inaccessible systems and wiped devices found after an administrative transition prompted requests for state and federal help
pp
The company said it isolated affected services after a cybersecurity event disrupting alarm communications for dealers and monitored accounts nationwide
pp
The archive provider said an intruder encrypted some systems cutting off historical newspaper access for partner libraries and subscribers
pp
District says classes continue as teams monitor and restore communications and data systems
p
