Exterity school system hacked by Rick Astley pranksters

A former high-school student has explained how he hacked every networked screen across the six schools that made up his school district, getting all screens to play Rick Astley’s song “Never Gonna Give You Up” at the same time.

Writing initially on his White Hat Hacker blog, Minh Duong said that the exploit gave him the ability to manipulate an Exterity IPTV system and an audio system.

Duong performed the exploit with fellow high-school students who have chosen to remain anonymous. The Rick Astley song was chosen because of its role in an internet meme, known as ‘rick-rolling’, in which website users are tricked into clicking on a link which opens up a performance of the song.

In his article, Duong said: “On April 30th, 2021, I rickrolled my high school district. Not just my school but the entirety of Township High School District 214. It’s the second-largest high school district in Illinois, consisting of six different schools with over 11,000 enrolled students.”

He added: “This story isn’t one of those typical rickrolls where students sneak Rick Astley into presentations, talent shows, or Zoom calls. I did it by hijacking every networked display in every school to broadcast “Never Gonna Give You Up” in perfect synchronisation. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!”

The story, which was also syndicated by The Next Web, begins with Duong and his friend port scanning the entire IP range of an internal school district network, finding printers, IP phones and even security cameras without any password authentication. But the real glory, or infamy, involved gaining control of the Exterity IPTV system consisting of AvediaPlayers, AvediaStream and AvediaServer devices.

Duong had access to this IPTV system from his freshman year but waited until his senior year, and until the return of in-person instruction, after a Covid-related break, before playing the prank. His exploit involved vulnerabilities that were implementation-specific, such as the use of default passwords by the school district, and what he describes as vendor privilege escalation vulnerabilities.

Duong and his friends escaped punishment, as they had provided documentation and guidelines related to their feat to the school district’s technical team, initially in an anonymous email and subsequently in an in-person briefing by Duong himself, with his anonymous friends joining by Zoom.

Reference : Avinteractive