They called it "The Big Rick." At 11 am on April 30th, 2021, each networked display screen in a large Illinois school district played "Never Gonna Give You Up." Three hours later, the automated bell system played the song, instead of a bell tone, to dismiss students from school. Why? A group of techy high schoolers— who had discovered serious security vulnerabilities— wanted a laugh.
This story isn't one of those typical rickrolls where students sneak Rick Astley into presentations, talent shows, or Zoom calls. I did it by hijacking every networked display in every school to broadcast "Never Gonna Give You Up" in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!Minh Duong
Minh Duong had port scanned the IP range of the internal district network as a freshman, discovering exposed devices. Almost four years later, he decided to take advantage of the vulnerabilities for a senior prank.
"Setting up the stream was arguably the most time-consuming part of preparation because testing was an absolute pain. I only needed a single projector for development, but it's not easy when classes are using them during the day.
So I tested at night instead. I would remotely connect to one of the PCs in the computer lab with the front camera facing the projector. Then, I would record a video to test if the projector displayed the stream correctly."Minh Duong
The group evaded disciplinary action because they sent a detailed, 26-page report to the tech team showing exactly how they had done the prank, and giving tips to improve security.
The vulnerabilities exploited to gain initial access were implementation-specific (meaning D214 was at fault for using default passwords). However, I discovered vendor privilege escalation vulnerabilities in all of Exterity's IPTV products, allowing me to gain root access across all systems. One of these bugs was a simple GTFO-bin, but the other two are novel vulnerabilities that I cannot (and should not) publish.Minh Duong