[Tyler] Hey there and welcome to Fully Modulated.
I'm Tyler and before we get into today's episode, quick reminder that this podcast is not connected to any radio stations, TV stations, or broadcasting companies.
It is just me talking about radio stuff that I find interesting.
So, let's talk about Labor Day back in September.
Most people were grilling burgers, right?
But if you were listening to KPOG in Demoin, Iowa on September 4th, you, well, you heard something way different than your uh normally scheduled programming.
Explicit content promoting X-rated websites started blasting through the airwaves.
And this wasn't some accidental uh you know, automation failure or a rogue DJ. No.
Someone hijacked their audio codec.
The thing is, this wasn't an isolated incident.
KRLL in California, Missouri got hit twice that same week.
Multiple other stations reported attacks on private broadcast engineering forums and all of them had one thing in common.
And if you're a radio engineer, you could probably already guess what it was.
Barix audio codecs that were sitting out there on the public internet.
Basically asking to be found.

Today, we're talking about how radio stations keep getting quote unquote hacked through these devices.
Why there are still hundreds of vulnerable codecs discoverable through something called Shodan.
And most importantly, what you can actually do to protect your equipment.
Because this problem isn't going away.
And if you're running a station with any Barix gear or any codec for that matter, you need to know this stuff.

[Tyler] All right, so let's start with what these Barix devices actually do.
Because if you're not in broadcast engineering, you might be wondering what the hell an audio codec even is.
And that's a valid question.
Radio stations use these boxes to get audio from the studio to the transmitter site.
You've got the instreamer at the studio that encodes the audio and sends it over an IP network.
Then you've got the exstreamer at the transmitter site that receives it and decodes it back in audio that goes to your broadcast chain.

It's basically your studio the transmitter link or STL.
The beauty of this setup is flexibility.
You can run it over a private network, least lines, or even the public internet.
Way cheaper than traditional microwave STL systems or running a dedicated, you know, dark fiber link.
Small market stations love these little things because they work.
And they don't break the bank.
They're less than, I think a thousand bucks per device, maybe 500 if you're going for the uh the uh exstreamer 500 model.
Barix has sold something like 1.4 million of these devices worldwide since 2001.
They're everywhere.
And that's kind of a problem.

So, September 4th rolls around and Bob Carr at KPOG is probably having a really nice holiday weekend when he finds out that his station is broadcasting pornography advertisements.
The attackers didn't just play inappropriate content.
They injected fake emergency alert system messages into the air chain.
And then, just to make sure Bob couldn't easily fix it, they changed the damn password on the device and locked them out of it completely.
KRLL got it even worse, twice in one week.
Same attack pattern, explicit content, fake EAS messages, password changes.
And these weren't, you know, sophisticated hackers, you know?
Not nation state actors or ransomware gangs demanding uh Bitcoin payments, just opportunistic people with free tools and some basic uh knowledge, really.

The tool that they used is something called Shodan.
If you've never heard of it, think of it as Google for internet connected devices.
Security researchers use it for legitimate purposes, but it's also a hacker's dream.
You can search for, you know, specific uh types of devices, specific open ports, specific vulnerabilities.
And right now, as of October 2025, there are 600 to 650 publicly accessible Barix devices just sitting out there on the public internet.
And 300 of those are in the United States.

Fletcher Pride from Family First Radio Network put it pretty well.
He said, quote, if Barix would make their devices not broadcast their presence prior to being signed into, the kind of attack that has been happening would be much harder as the attackers would not know where to attack. Unquote.
But they do broadcast their presence.
So the attack vector is stupidly simple.
Search for Shodan for exposed Barix devices, try default passwords or just brute force weak ones, redirect the audio stream to whatever content you want, change the password to keep those uh that are supposed to be in there out and you're done.
The scary part is how many stations still have their codecs set up with default passwords or just weak security in general.
We're talking about devices from 2003, 22 years old, still running at various transmitter sites.
Joannes Rachel, who founded Barix, estimates there are tens of thousands of these second generation devices still out there.
A lot of them shipped with either no password or default credentials that nobody ever bothered to change.

Small market stations don't always have a dedicated IT person.
Sometimes it's one engineer covering multiple stations or maybe the, you know, program director who also handles the technical stuff.
These folks are stretched thin and cybersecurity isn't always top of mind when you're just trying to keep the station on the air.
Rachel said something kind of brutally honest in a recent interview.
He said, quote, there's no such thing as a driver's license required to put devices onto the internet, unquote.
And that's the uh reality, right?
Anyone can plug these things in.
Most stations do it without even thinking about security implications.
It's because it just needs to work.

Okay.
So, now you're probably wondering, how do I make sure these uh attacks don't happen to me?
Because if if you're running Barix equipment, you should be at least a little concerned right now.
The number one rule and this is non-negotiable, never, ever expose Barix devices directly to the internet.
No port forwarding through your firewall, no public IP addresses, absolutely 100% never, ever any exceptions to that rule.
I cannot stress that enough.
The gold standard for protecting this equipment is VPNs.
Virtual private networks.
When you when you need to send audio over the public internet or access your devices remotely, you establish a VPN tunnel first.
Your instreamer at the studio and your exstreamer at the transmitter site need to communicate exclusively over this encrypted tunnel.
What this does is make your devices invisible to Shodan scans.
Attackers can't find what they can't see.
Your audio path needs to stay private even when it's going over the public internet and any remote management happens through that same secure tunnel.

Bob Carr at KPOG learned this the hard way.
His station had the exstreamer password protected, which sounds good, right?
But they also had port forwarding enabled for outside access.
That's the vulnerability right there.
After the hack, Bob immediately started planning a VPN implementation.
Better late than never, but it wouldn't have uh you know, it would have been better to do it before they got hit.

Now, if you can't deploy a VPN right away, Fletcher Pride recommends two interim approaches that are I guess better than nothing.
First option, remove port forwarding entirely from your uh router.
When you absolutely need access, temporarily open the port, do whatever you need to do, then immediately close it again.
This at least dramatically reduces your exposure window.
The downside is it requires manual intervention every single time, which, you know, is going to get old fast.
But it's it's it's way better than leaving that port open 24/7.
The second option is what he calls the jump box approach.
You place a computer inside your private network running remote viewing software, could be something like DW Service or any desk.
Then you access your local network through this computer's browser.
You get full internal network access while maintaining virtually no outside exposure.
Raspberry Pi computers are perfect for this.
They're cheap, reliable, and they automatically recover after a power failure.
You set it up once and it just sits there waiting for you to connect when you need it.

But here's the critical limitation with both of these alternatives.
Neither one works if you're using an instreamer on a private IP network pushing content to an exstreamer on a public IP network.
That configuration requires the receiving codec to be discoverable, which is exactly the vulnerability you're trying to eliminate.
For studio the transmitter links over the public internet, VPN tunnels become mandatory, not optional.

Beyond network isolation, there are some additional hardening steps you should probably be doing.
Set 24 character passwords, minimum on all your devices.
Never use default credentials on anything.
If you bought a piece of equipment and it came with a default password, change it.
Now. Like stop listening to this podcast and go do it.
Barix also offers something called their reflector service for secure cloud managed connections. Use it.
Keep all your firmware current on the uh you know, with the latest security patches and deploy access control list to restrict which IP addresses can even try to reach your devices.
Shane Toven, he's the director of technology at Franson Media put it this way, quote, while there are a small number of exceptions, very seldom does a piece of of uh broadcast equipment need a direct public IP address or port forwarding through a firewall.
The key here is using things like VPN tunnels and access control list, unquote.

So, why does all of this matter?
I mean, you know, beyond the obvious embarrassment of having explicit content broadcast over your station.
The fake emergency alert system messages are the real problem.
When people hear fake EAS alerts, they stop trusting the real ones.
And the EAS exists for genuine emergencies.
You know, tornadoes, flash floods, amber alerts, all that stuff.
If listeners tune out because they've heard of, you know, a fraudulent alert, the entire system breaks down.
That's a public safety issue.

But this also illustrates something bigger....
We're living with decades of legacy internet of things devices that were never designed with security in mind.
These things will remain in service for years because replacing them cost money that small broadcasters just simply don't have.
And when those organizations are managing critical infrastructure, whether that's broadcast stations or water treatment plants or traffic control systems, we've got a problem.

The attacks they keep happening because nothing fundamentally has changed since 2016.
That was the first major documented Barix attack.
The Furcast incident where hackers played an explicit podcast on multiple radio stations, same vulnerabilities still work today.
Same Shodan searches reveal the same types of devices.

Broadcast engineers are still finding out about successful attacks only after inappropriate content has already aired.
Industry awareness has definitely grown.
Codec manufacturers like Teline now emphasize security best practices in their documentation.
Conference presentations talk about this kind of stuff.
There are more resources available than ever, but awareness alone doesn't retrofit VPNs onto small market stations running on shoestring budgets.
It doesn't replace 22 year old equipment that still works just fine for audio transport, but has security that's basically uh Swiss cheese.

Until those 600 plus exposed devices get properly secured or pulled offline, more attacks are going to happen.
The tools are free, the targets are known, the vulnerabilities persist.
The only question is when, not if.

[Tyler] All right, so let's recap.
Radio stations rely on Barix codecs for studio the transmitter links.
Hundreds of these devices are exposed on the public internet right now.
Discoverable through Shodan.
Attackers are using them to broadcast inappropriate content and fake emergency alerts.
The September 2025 attack were just kind of the latest in a pattern that goes back nearly a decade at this point.
If you're running this equipment, the solution is obvious, VPN tunnels.
Don't expose your codecs directly on the internet.
Don't rely on just passwords.
Don't do port forwarding, lock everything down behind proper network security.
It's not just optional anymore, if it ever was.

I feel like I'm scolding people.
But we got to get the point across that in some way.
This isn't going to go away.
The vulnerabilities are known at this point.
The the attack methods are documented and the tools are freely available.
The only defense is proper security implementation and that means VPNs and access controls.

[Tyler] All right, I'll quit scolding you guys.
Thanks for listening to this episode of Fully Modulated.
If you found this useful, I'd really appreciate it if you could uh help the show grow.
Follow us on your favorite podcast app, leave a rating and review on Apple Podcast or Spotify.
It actually does make a huge difference in helping others find the show.
Share this episode with anyone who's still running these uh ancient little broadcast tools.
Send it to your chief engineer, your station manager, anyone who needs to hear this information.
And if you're, you know, if if you've got questions, experiences with I don't know, codec security or just want to share your thoughts, send me an email, Tyler@fullymodulated.com.
You can also find me on the social media. We're at Fully Modulated on Facebook, at Fully Modulated Pod on Instagram and at FullyModulated.com over on Blue Sky.
Come say hi, share your stories. Let me know what topics you want to hear about.
This has been Fully Modulated.
Stay secure out there and keep those VPNs up and running.