Several stations using Barix codecs for STL have been diverted to receive an adult-oriented stream, then locked to that stream this week. Many theories are floating about the sophistication of the attack, but I'm a fan of Occam's Razor on this. I've seen enough web interfaces unprotected out there that I think this attack employed a simple lookup on an Internet-of-Things directory site, then login via default password.
For Comrex codecs, it's a good time to review security options:
Minimum: Change the default web interface password to something long and secure. Don't put the codec on an IP address with a searchable URL (this helps it not show up on google search).
Reasonably Cautious: Secure the web interface (port 80) behind a firewall with VPN capability. Use the connection password function to secure your BRIC normal connections. If not using them, disable SIP/EBU 3326, HTTP and standard RTP functionality (these are off by default).
Very Secure: Disable the web interface entirely and use only the local GUI (applies to ACCESS only). Turn off remote diagnostics via SSH (note: SSH requires a key from the factory that is never shared, therefore is already quite secure). Apply an encrypted VPN to the codecs on each end of the link, so your actual stream is encrypted.
And be careful out there!
Hi Tom, Can you provide more information about what you mean in the last sentence where you say, "Apply an encrypted VPN to the codecs on each end of the link, so your actual stream is encrypted." Can you explain how this is done or any other ways to encrypt the Comrex audio signal being sent?
ReplyDeleteThanks
Tony