(C) BoingBoing
Author Name: BoingBoing
This story was originally published on Boingboing.net. [1]
License: CC-BY-NC-SA 3.0.[2]


Techy high schooler rickrolls his entire district, then helps secure its network

2021-10-14 00:00:00

They called it "The Big Rick." At 11 am on April 30th, 2021, each networked display screen in a large Illinois school district played "Never Gonna Give You Up." Three hours later, the automated bell system played the song, instead of a bell tone, to dismiss students from school. Why? A group of techy high schoolers— who had discovered serious security vulnerabilities— wanted a laugh.

This story isn't one of those typical rickrolls where students sneak Rick Astley into presentations, talent shows, or Zoom calls. I did it by hijacking every networked display in every school to broadcast "Never Gonna Give You Up" in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it! Minh Duong

Minh Duong had port scanned the IP range of the internal district network as a freshman, discovering exposed devices. Almost four years later, he decided to take advantage of the vulnerabilities for a senior prank.

"Setting up the stream was arguably the most time-consuming part of preparation because testing was an absolute pain. I only needed a single projector for development, but it's not easy when classes are using them during the day. So I tested at night instead. I would remotely connect to one of the PCs in the computer lab with the front camera facing the projector. Then, I would record a video to test if the projector displayed the stream correctly." Minh Duong

The group evaded disciplinary action because they sent a detailed, 26-page report to the tech team showing exactly how they had done the prank, and giving tips to improve security.

The vulnerabilities exploited to gain initial access were implementation-specific (meaning D214 was at fault for using default passwords). However, I discovered vendor privilege escalation vulnerabilities in all of Exterity's IPTV products, allowing me to gain root access across all systems. One of these bugs was a simple GTFO-bin, but the other two are novel vulnerabilities that I cannot (and should not) publish. Minh Duong

In a blog post, Duong documents exactly how he conceived and executed the prank. He now attends the University of Illinois Urbana-Champaign.
[END]

[1] URL: https://boingboing.net/2021/10/14/techy-high-schooler-rickrolls-his-entire-district-then-helps-secure-its-network.html
[2] URL: https://creativecommons.org/licenses/by-nc-sa/3.0/us/

BoingBoing via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/rferl/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.