Techy high schooler rickrolls his entire district, then helps secure its network

They called it "The Big Rick." At 11 am on April 30th, 2021, each networked display screen in a large Illinois school district played "Never Gonna Give You Up." Three hours later, the automated bell system played the song, instead of a bell tone, to dismiss students from school. Why? A group of techy high schoolers— who had discovered serious security vulnerabilities— wanted a laugh.

This story isn't one of those typical rickrolls where students sneak Rick Astley into presentations, talent shows, or Zoom calls. I did it by hijacking every networked display in every school to broadcast "Never Gonna Give You Up" in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!

Minh Duong

Minh Duong had port scanned the IP range of the internal district network as a freshman, discovering exposed devices. Almost four years later, he decided to take advantage of the vulnerabilities for a senior prank.

"Setting up the stream was arguably the most time-consuming part of preparation because testing was an absolute pain. I only needed a single projector for development, but it's not easy when classes are using them during the day.

So I tested at night instead. I would remotely connect to one of the PCs in the computer lab with the front camera facing the projector. Then, I would record a video to test if the projector displayed the stream correctly."

Minh Duong

The group evaded disciplinary action because they sent a detailed, 26-page report to the tech team showing exactly how they had done the prank, and giving tips to improve security.

The vulnerabilities exploited to gain initial access were implementation-specific (meaning D214 was at fault for using default passwords). However, I discovered vendor privilege escalation vulnerabilities in all of Exterity's IPTV products, allowing me to gain root access across all systems. One of these bugs was a simple GTFO-bin, but the other two are novel vulnerabilities that I cannot (and should not) publish.

Minh Duong

In a blog post, Duong documents exactly how he conceived and executed the prank. He now attends the University of Illinois Urbana-Champaign.