An Illinois teenage student discovered a zero-day vulnerability in the Exterity IPTV system during a prank he played in his school district before graduation.
On April 30, 2021, Minh Duong and friends took over all network television and other displays in six high schools in Illinois Township High School District 214 and played “Never Gonna Give You Up” under the guise of an important announcement.
The hack, detailed in a published blog post, scans devices connected to the school’s network and analyzes their firmware for bugs. It was timed to deploy a payload to hijack school televisions and displays during recess so as not to interfere with classes and other exams.
https:// whitehoodhacker.net/posts/2021-10-04-the-big-rick
The result of all this careful planning has been a huge success, and the students of the district have been posting about it on social media.
He said it took him years to arrange the hack.
The earliest scan log timestamp we could find in our archives was November 28, 2017, and we began documenting network resources on December 3
Because anyone on the network could connect to any camera in any building without authentication
Because anyone on the network was able to connect to any camera in any building without authentication
But playing a key role in the success of this prank was a series of privilege escalation vulnerabilities in the Exterity IPTV product that the district was using to stream and control internal security cameras and displays on the network.
One was a simple GTF-bin, but the other two are new vulnerabilities that cannot (and should not) be disclosed
Minh, currently a student at the University of Illinois at Urbana-Champaign, has contacted the vendor about the two zero-day reports, but has not heard back from the company.
All of Exterity’s firmware updates are locked to the customer portal, so we can’t confirm if these issues have been patched at some point, but we can confirm that they will be present in the late 2020 I’m pretty sure they’re present in the update
Minh now comments that she wants to work in cybersecurity.
Comments