Rickroll Grad Prank Exposes Exterity IPTV Bug:
When Township High School District 214 in Illinois got rickrolled all at once across its six different schools just before graduation, it was more than a meticulously executed senior prank.
Cybersecurity star-in-the-making and recent high-school graduate Minh Duong found, and was able to exploit, a zero-day bug in the district's Exterity IPTV system. The goof was received in good humor by school administrators, luckily for Minh and his cohorts, and the bug was reported to Exterity.
But so far, the company hasn't responded to Minh's disclosure or said anything about possible mitigations, he said.
"If I don't end up hearing back from them in my next few attempts at contact, I will publish the exploit that I used," he told Threatpost. "CVE-2021-42109 has been reserved for the Exterity IPTV privesc vulnerabilities, with my blog post being listed as a reference."
"The Big Rick," as the prank was called, came off beautifully — hijacking every TV, projector and monitor on the district's IPTV system to play Rick Astley's classic video for "Never Gonna Give You Up."
Projectors and TVs across the Township district are all connected, and can be controlled through a blue box with three Exterity tools: The AvediaPlayer receiver, the AvediaStream encoder and the AvediaServer for management.
[...] So far, there's no indication that Threatpost could uncover that the bugs have been fixed by Exterity, which was recently acquired in April by IP video-tech company VITEC. Neither company responded to Threatpost's inquiries by press time.
I hacked and rickrolled my entire high school district (03:16).
(Score: 2) by tangomargarine on Friday October 15, @09:23AM
I thought that "getting rickrolled" implied that it was something you got tricked into doing--the important part was that the user themself triggered it, usually by clicking on a link? In which case "I hijacked the campus network to display this video to everybody at a certain time" isn't really a rickroll.
P.S: I'm so fucking tired of everything constantly being labelled a "zero-day" exploit when like 95% of exploits are zero-days, aren't they? In which case shut up about it and draw attention to when the exploit *isn't* a "zero-day" (which is more important anyway, because the company in question is either too incompetent to fix the problem, or too slow/cheap to address it in a timely manner--anybody can get bounced by a hack they didn't anticipate). This is just marketing bullshit because it sounds sexier.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"