Malicious Syndication Incident
We have been made aware of a reported incident where FurCast & XBN content was syndicated without our knowledge on a terrestrial FCC licensed FM radio station. We are deeply sorry to hear about this inappropriate incident. FurCast and XBN content is made freely available on iTunes, our website and our YouTube channel for anyone to download and distribute. We are a group of friends who publish audio and video entertainment, wherein it is marked for containing explicit and inappropriate content.
We are working with law enforcement to investigate this incident. We have preserved all access log files.
2016-04-07 0230 UTC – Update 1 – Updated to reflect server log findings
2016-04-08 0130 UTC – Update 2 – Updated to reflect Ars Technica article & Michigan Association of Broadcasters press release.
2016-04-09 0315 UTC – Update 3 – Update to reflect Barix press release.
Update 2016-04-07 0230 UTC
Multiple news outlets have reported incidents involving our content being maliciously syndicated on terrestrial radio stations around the world. After reviewing log files on the XBN streaming server, we have discovered large numbers of IP addresses attempting to connect to our archive stream. Our archive stream is an automated playout server that streams a playlist of our latest 10 episodes. It normally runs 24/7 for use with our website and our iOS & Android mobile apps. We took down the archive stream as soon as we heard of the incident with KIFT-FM, however hundreds of connections continued to spam the server with requests. We also noticed that a majority of the connections made had the user agent “Barix Streaming Client.” Barix is a well known manufacturer of audio streaming hardware. Their products are commonly sold to the broadcast and retail industries. They are commonly used for PA systems, studio-to-transmitter links, retail store environments, on-hold music and so on. We examined a small sample of the IP addresses and looked them up. All of the ones we sampled were listed on the website Shodan; a web-based search engine that searches the internet for devices instead of websites.
We gathered a list of all the IP addresses used and blocked them via our server’s firewall. We then brought our archive playlist stream back up under a new name & new stream URL. So far we have had no new connections on the renamed stream, although we are finding what appear to be new IP addresses attempting to connect to the old stream.
The above image is a bandwidth usage graph of our streaming server. Normally little is used during the week until our main streams for the show go live on the weekend. As you can see around 0600 Eastern Daylight Time (1200 UTC), the bandwidth started growing at a steady pace. At just after 1430 EDT our stream was disabled and the bandwidth drops. This fits with what we observed in server log files where more and more Barix streaming devices continued to hit our server with requests. The bandwidth then jumps again when we brought our stream up for testing. We broadcasted test audio containing beeps during this time and did not air normal content.
We now understand how our audio stream was pulled and what was pulling it, but we still have unanswered questions.
- Why was our stream used? Our icecast stream is one of millions around the world. We do produce content for a limited audience that contains profanity and adult content, but otherwise have no understanding of why our stream was maliciously syndicated without our knowledge. We are not sure if our stream was picked deliberately, or at random (our stream is publicly listed on the main Icecast Streaming Directory).
- What was the scale of this attack on our system? Would this have grown if our stream was not halted? The gradual growth of bandwidth suggests that more and more connection requests flooded in at a steadily growing pace. We are not sure if this is consistent with botnet behaviour.
- What was the scale of this for everyone else? We also do not know who may have been affected by this. There were hundreds of IP addresses connecting to our streaming server. We are aware of the incident at KIFT-FM only because we were contacted by a journalist at Denver CBS. After searching many news feeds and Twitter trends, we have seen evidence of several other affected radio stations, but are otherwise unsure of the scale or extent. Barix streaming devices have many use cases beyond just the broadcast industry.
To summarize what we do know:
- The incident seems to affect only Barix hardware. It could be an exploit of Barix hardware or a botnet attempting to log into whichever devices it could to then change the source stream URL. There are hundreds of results on Shodan when searching for Barix devices. We advise anyone that could be or are victims of this exploit to change login credentials and make sure any broadcast workflow equipment is not easily internet accessible.
- The suspicious connections to our streaming server seemed to start Tuesday, April 5th, around 0600 EDT and continued until approximately 1430 EDT when this was brought to our attention and we shut down the stream.
The XBN staff and everyone involved in the FurCast show would like to sincerely apologize to whoever may have been affected by these incidents. We as an organization are a group of like-minded friends producing content for a niche audience. Our content is discovered by individuals who specifically seek what we produce, and they do not normally come into contact with it via public means. We have no interest in being discovered by a mainstream audience. We are deeply disturbed to hear of these incidents and all the negative implications it has caused. If anyone from the media, or law enforcement would like additional information please feel free to email us at the address listed on our contact page. All of the information released above has been gathered using server log files and public media reports online. We will continue to monitor our streaming server for any suspicious connections, and will take down our stream if needed.
We may update this page with additional information if it becomes available.
Update 2016-04-08 0130 UTC
Ars Technica has published an article about the malicious syndication incident. In it, they wrote:
“KIFT wasn’t the only station to be hit by the hack. On the same day, Livingston, Texas-based country music station KXAX also broadcast raunchy furry-themed audio. And according to an article posted Wednesday by radio industry news site RadioInsight.com, the unauthorized broadcasts from a hobbyist group called FurCast were also forced on an unnamed station in Denver and an unidentified national syndicator.”
In addition we’d like to present a quick clarification to Ars’s article: We are not a “furry sex” podcast. We are an improv comedy themed furry podcast with no censor.
The Michigan Association of Broadcasters has also published an article and advisory on Barix hardware security.
We still have not learned any new details to answer the questions posted in the previous update. If you have any additional information related to this incident that is not in this press release or may be of benefit to those who were affected, please contact us.
Update 2016-04-09 0315 UTC
Barix, the communications company and hardware manufacturer behind the devices that appear to have been compromised in the malicious syndication incident has posted a press release to address concerns. In it, they stress that standard IT security practice must be applied when deploying their hardware.
Barix would like to emphasize that its devices are secure for Broadcast use when set up correctly and protected with a strong password. With several hundreds of thousands of Barix devices in operation worldwide, these unfortunate security breaches are an extreme rarity.
The problem rests with securing things on the Internet in general. By checking one of the named listing sites, significant numbers of Internet-connected devices of all types and brands can be found. These devices are easily accessible if not properly protected.