The Public Safety and Homeland Security Bureau (Bureau) of the Federal Communications Commission (Commission) has issued a Public Notice reminding broadcasters of their responsibility to ensure the security of their broadcast networks and systems. In particular, the notice is issued in response to the recent string of cyber intrusions against various radio broadcasters that resulted in the broadcast of obscene materials and the misuse of the Emergency Alert System (EAS) Attention Signal (Attention Signal). The Commission cites two recent attacks, one in Houston, Texas and another in Richmond, Virginia.

It appears that these recent hacks were caused by a compromised studio-transmitter link (STL)—the broadcast equipment that carries program content from the studio to remote transmitters—with threat actors often accessing improperly secured Barix equipment and reconfiguring it to receive attacker-controlled audio in lieu of station programming. Affected stations broadcast to the public an attacker-inserted audio stream that includes an actual or simulated Attention Signal and EAS alert tones, as well as obscene language, and other inappropriate material.

The Commission is urging all broadcasters, especially those using Barix equipment, to:

• Install software security patches issued by the equipment manufacturer as soon as they become available, and upgrade equipment firmware and software to the most recent versions recommended by the manufacturer.
• Change their devices’ default passwords and replace them with robust alternatives, and regularly change passwords to promote continued security.
• Where reasonably feasible, install EAS, Barix, and other equipment interconnected to the broadcast signal processing system behind network firewalls, and utilize VPNs that are configured to limit remote management access to only authorized devices.
• Continually monitor EAS equipment and software and review audit logs to detect and report incidents of unauthorized access.
• Review the list of recommended best practices to address potential data security vulnerabilities issued by the Communications Security, Reliability, and Interoperability Council in 2014.

The FCC encourages broadcasters to contact their EAS equipment manufacturers with any specific questions regarding the security of EAS equipment. If you suspect that broadcast equipment has been
subject to attempts at unauthorized access, we recommend you contact the equipment manufacturer and/or a data security firm. We strongly encourage broadcasters who suspect unlawful access to their
systems to notify the FCC Operations Center at 202-418-1122 or FCCOPCenter@fcc.gov and to report any cyberattacks to Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) at
https://www.ic3.gov/.