High School Student Hacks Entire School District’s Screens, Then Rickrolls Viewers

October 18, 2021 by Dave Haynes

Here’s a cautionary tale for anyone running an enterprise-level digital signage network: an Illinois high school student managed to take over the digital signage and other IPTV-connected screens across a full school district back in April. But instead of running naughty videos, he rickrolled them.

A post on WhiteHood Hacker details:

On April 30th, 2021, I rickrolled my high school district. Not just my school, but the entirety of Township High School District 214. It is one of the largest high school district in Illinois, consisting of 6 different schools with over 11,000 enrolled students.

This story isn’t one of those typical rickrolls where students sneak Rick Astley into presentations, talent shows, or Zoom calls. I did it by hijacking every networked display in every school to broadcast “Never Gonna Give You Up” in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!

In this post, I’ll be explaining how I did it and how I evaded detection, as well as the aftermath when I revealed myself and didn’t get into trouble.

We prepared complete documentation of everything we did, including recommendations to remediate the vulnerabilities we discovered. We went a comprehensive 26-page penetration test report to the D214 tech team and worked with them to help secure their network.

The post gets into how the student – Minh Duong – penetrated the network and took over the IPTV system supplied by the Scottish tech firm Exterity. Duong is now in university taking computer science (surprise!). He did not get in trouble, as his whole thing appears to have been an exercise in penetration testing, and the output was a pile of documentation and recommendations to patch the vulnerabilities.

With that said, what we did was very illegal, and other administrations may have pressed charges. We are grateful that the D214 administration was so understanding.

I checked the Exterity site and social media. It looks like they are steering clear of commenting. I am not even vaguely technical enough to say where the real vulnerability was in this set-up, but the various parties are, I am sure, happy this was all that happened, and that the output was recommendations on fixes, not demands for money or videos that were embarrassing or awful, and not just funny.