Broadcast cyber threats evolve as infrastructure moves from SDI to IP
Weekly insights on the technology, production and business decisions shaping media and broadcast. Free to access. Independent coverage. Unsubscribe anytime.
Broadcasters now face the same range of cyber threats as any other business operating on IP networks, with additional exposure tied to the studio-to-transmitter links, RDS encoders and EAS equipment that make broadcasting work, Wayne Pecena said during a presentation at the FCC’s cybersecurity workshop for broadcasters.
Pecena, associate director of educational broadcast services at Texas A&M University and a past president of the Society of Broadcast Engineers, opened the workshop with a survey of the threat landscape, the tools attackers and defenders use, and the practices that can reduce a station’s exposure.
He grouped the threats into four broad categories: denial of service, content hijacking, malware and ransomware. The mechanics of each have changed as broadcast plants have moved away from baseband equipment toward IT-based infrastructure.
“That traditional rack room or that technical operations center looks more like a data center with traditional dedicated equipment replaced with computers running specific broadcast applications,” Pecena said.
From physical access to remote attacks
Disrupting a broadcast signal is not new, Pecena said. He cited the 1987 “Max Headroom” signal intrusion in Chicago, in which two stations had programming overridden, and the 1986 “Captain Midnight” transmission that interrupted an HBO satellite feed, as early examples. Both required attackers to be physically located in specific places with specific equipment.
Today, the same kinds of disruption can be carried out from anywhere with an internet connection.
Pecena pointed to KQED in San Francisco, which was hit by a cyber incident in 2017 and chose to publicize the event, as a turning point in industry awareness. Since then, he said, most major broadcast organizations have experienced some form of incident, and many smaller operators have been affected without making industry headlines.
He cited a 2022 presentation at the DEF CON security conference that walked through the design and operation of the EAS system in detail.
“The broadcast infrastructure has been sort of, I don’t want to say in its own bubble, but it’s somewhat isolated from general knowledge. But that is changing,” Pecena said.
Specific broadcast targets
Three pieces of equipment are particular targets in the broadcast chain, Pecena said: the studio-to-transmitter link, RDS data encoders and EAS encoder/decoders. He described an example station that used the public internet as its STL path, with no firewall between the EAS encoder/decoder and the wider internet, and with default credentials still in place.
“In a simple world, devices such as that STL equipment, your RDS encoders, your EAS encoder, decoder, you never should be connected to the public Internet,” Pecena said.
He outlined a layered alternative: a firewall between the EAS device and the internet, configured to permit only outbound traffic to the EAS CAP server network; encrypted tunnels between studio and transmitter sites; and a separate VPN tunnel for remote access by engineers. Suitable firewalls and combination VPN and firewall devices for smaller stations are available for under $1,000, he said.
The consequences of a successful attack on any point in that chain include dead air, alternate programming, lost spot revenue, public embarrassment and legal liability for content the station did not authorize.
Tools used on both sides
Pecena demonstrated two tools commonly used in reconnaissance: Nmap, an open-source network scanner with more than 125 commands and a graphical front-end called Zenmap, and Shodan, a search engine that catalogs internet-connected devices.
Using Zenmap, he showed how a single scan of an IP address could identify open ports, services, software versions and, in his example, the make and model of an EAS encoder/decoder. From there, he said, an attacker could check for default credentials or known vulnerabilities in specific software versions.
Shodan continuously scans the public internet and indexes devices by manufacturer, product and other attributes.
A search the week of the workshop returned 410 Barix devices on the public internet, along with a larger number of Tieline units, Pecena said. A similar scan a year earlier returned 616 Barix devices, one of which still used default login credentials and allowed access to its graphical interface.
The most useful application of Shodan for a broadcaster, Pecena said, is checking what equipment in their own plant is visible from the public internet.
AI on offense and defense
Artificial intelligence is being used on both sides of the threat landscape. Defenders are using it for real-time detection and automated response. Attackers are using it to generate phishing messages, create deepfake audio and video, accelerate vulnerability discovery and automate botnets used in distributed denial-of-service campaigns.
“AI is going to continue to have a widespread use in defense strategy, but also is going to have an active use in the creation of threats, accelerating the process, accelerating the scale, and the sophistication of those threats that exist there,” Pecena said.
The direction of travel, he said, is toward more autonomous attacks that require little human involvement.
There is no single solution to cybersecurity, Pecena said.
He recommended a layered approach built on a current equipment inventory, a segmented network using VLANs to limit the reach of any compromise, port security features on managed switches, replacement of default credentials with unique and strong passwords, disabling of services that are not in use and continued attention to social engineering.
The CISA Known Exploited Vulnerabilities Catalog, which contained more than 1,500 entries at the time of the workshop, is a starting point for prioritizing patches, he said.
“A single successful phishing attempt can really negate a lot of cybersecurity type applications,” Pecena said.




tags
Cybersecurity for Broadcasters, FCC
categories
Broadcast Engineering, Featured