Radio stations across America are getting hacked through vulnerable Barix audio codecs, and your station could be next. In September 2025, hackers hijacked KPOG in Des Moines and KRLL in Missouri during Labor Day weekend, broadcasting explicit content and fake Emergency Alert System messages. Over 600 Barix Instreamer and Exstreamer devices remain exposed on the public internet, discoverable through Shodan searches by anyone with basic technical knowledge.
This episode breaks down exactly how these Barix STL (studio-to-transmitter link) hijacking attacks work, why legacy broadcast equipment remains vulnerable despite years of warnings, and most importantly—how to protect your radio station's audio codecs from exploitation.
Learn the critical security measures every broadcast engineer needs to implement, including VPN tunnel deployment, proper firewall configuration, and alternative security approaches when full VPN implementation isn't immediately feasible. Hear directly from industry experts like Fletcher Pride (Family First Radio Network), Shane Toven (Frandsen Media), and Barix founder Johannes Rietschel about preventing codec hijacking.
Whether you're running a small-market station with limited IT resources or managing broadcast infrastructure for multiple facilities, this episode provides actionable cybersecurity strategies to keep your Barix equipment secure and your station protected from internet-based attacks.
Topics covered: Barix Instreamer/Exstreamer security, Shodan vulnerability scanning, VPN tunneling for broadcast equipment, STL link protection, port forwarding risks, emergency alert system security, and IoT device hardening for radio stations.
Send me a text message with your thoughts, questions, or feedback
Visible Wireless by Verizon
Same Verizon coverage, way cheaper bills. No contracts or hidden fees. $20 off for both of us.
Podcast hosting made simple. Sign up and we both get $20 credit when you upgrade to paid plans.
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
If you enjoyed the show, be sure to follow Fully Modulated and leave a rating and review on Apple Podcasts or your favorite podcast app—it really helps more people discover the show.
Fully Modulated is not affiliated with or endorsed by any station, media company, or network. All opinions are solely my own.
Episode Transcript
Hey there, and welcome to Fully Modulated.
I'm Tyler, and before we getinto today's episode, quick
reminder that this podcast isnot connected to any radio
stations, TV stations, orbroadcasting companies.
It is just me talking aboutradio stuff that I find
(00:44):
interesting.
So let's talk about Labor Dayback in September.
Most people were grillingburgers, right?
But if you were listening toKPOG in Des Moines, Iowa on
September 4th, you well, youheard something way different
(01:09):
than your normally scheduledprogramming.
Explicit content promotingX-rated websites started
blasting through the airwaves.
And this wasn't some accidentalautomation failure or a rogue
DJ.
No, someone hijacked theiraudio codec.
(01:33):
The thing is, this wasn't anisolated incident.
KRLL in California, Missouri,got hit twice that same week.
Multiple other stationsreported attacks on private
broadcast engineering forms, andall of them had one thing in
(01:54):
common.
And if you're a radio engineer,you could probably already
guess what it was.
Barracks audio codecs that weresitting out there on the public
internet, basically asking tobe found.
Today, we're talking about howradio stations keep getting
(02:15):
quote unquote hacked throughthese devices, why there are
still hundreds of vulnerablecodecs discoverable through
something called Shodan, andmost importantly, what you can
actually do to protect yourequipment.
Because this problem isn'tgoing away.
(02:36):
And if you're running a stationwith any barracks gear, or any
codec for that matter, you needto know this stuff.
All right, so let's start withwhat these barracks devices
(02:59):
actually do.
Because if you're not inbroadcast engineering, you might
be wondering what the hell anaudio codec even is.
And that's a valid question.
Radio stations use these boxesto get audio from the studio to
the transmitter site.
You've got the in-streamer atthe studio that encodes the
(03:21):
audio and sends it over an IPnetwork.
Then you've got the X-Streamerat the transmitter site that
receives it and decodes it backinto audio that goes to your
broadcast chain.
It's basically your studio thetransmitter link or STL.
The beauty of this setup isflexibility.
You can run it over a privatenetwork, leased lines, or even
(03:45):
the public internet.
Way cheaper than traditionalmicrowave STL systems or running
a dedicated, you know, darkfiber link.
Small market stations lovethese little things because they
work and they don't break thebank.
They're less than, I think, athousand bucks per device, maybe
500 if you're going for the uhthe uh Xtreme or 500 model.
(04:09):
Barracks has sold somethinglike 1.4 million of these
devices worldwide since 2001.
They're everywhere, and that'skind of a problem.
So September 4th rolls around,and Bob Carr at Key KPOG is
(04:29):
probably having a really niceholiday weekend when he finds
out that his station isbroadcasting pornography
advertisements.
The attackers didn't just playinappropriate content, they
injected fake emergency alertsystem messages into the
(04:50):
airchain.
And then just to make sure Bobcouldn't easily fix it, they
changed a damn password on thedevice and locked them out of it
completely.
KRLL got it even worse, twicein one week.
Same attack pattern, explicitcontent, fake EAS messages,
password changes.
(05:11):
And these weren't, you know,sophisticated hackers, you know,
not nation state actors orransomware gangs demanding uh
Bitcoin payments, justopportunistic people with free
tools and some basic uhknowledge, really.
The tool that they used issomething called Shodan.
(05:33):
If you've never heard of it,think of it as Google for
internet connected devices.
Security researchers use it forlegitimate purposes, but it's
also a hacker's dream.
You can search for sus, youknow, specific uh types of
devices, specific open ports,specific vulnerabilities.
(05:56):
And right now, as of October2025, there are 600 to 650
publicly accessible barracksdevices just sitting out there
on the public internet.
And 300 of those are in theUnited States.
(06:17):
Fletcher Pride from FamilyFirst Radio Network put it
pretty well.
He said, quote, if barrackswould make their devices not
broadcast their presence priorto being signed into, the kind
of attack that has beenhappening would be much harder
as the attackers would not knowwhere to attack.
(06:39):
Unquote.
But they do broadcast theirpresence.
So the attack vector isstupidly simple.
Search for Shodan for exposedbarracks devices, try default
passwords or just brute forceweak ones, redirect the audio
stream to whatever content youwant, change the password to
(07:01):
keep those uh that are supposedto be in there out, and you're
done.
The scary part is how manystations still have their codecs
set up with default passwordsor just weak security in
general.
We're talking about devicesfrom 2003, 22 years old, still
running at various transmittersites.
(07:24):
Joann's Rachel, who foundedBarracks, estimates there are
tens of thousands of thesesecond-generation devices still
out there.
A lot of them shipped witheither no password or default
credentials that nobody everbothered to change.
(07:45):
Small market stations don'talways have a dedicated IT
person.
Sometimes it's one engineercovering multiple stations or
maybe the, you know, programdirector who also handles the
technical stuff.
These folks are stretched in,and cybersecurity isn't always
top of mind when you're justtrying to keep the station on
(08:07):
the air.
Rachel said something kind ofbrutally honest in a recent
interview.
He said, quote, there's no suchthing as a driver's license
required to put devices onto theinternet, unquote.
And that's the uh reality,right?
Anyone can plug these thingsin.
Most stations do it withouteven thinking about security
(08:29):
implications because it justneeds to work.
Okay, so now you're probablywondering, how do I make sure
these uh attacks don't happen tome?
Because if if you're runningBarracks equipment, you should
(08:50):
be at least a little concernedright now.
The number one rule, and thisis non-negotiable, never, ever
expose Barracks devices directlyto the internet.
No port forwarding through yourfirewall, no public IP
addresses, absolutely 100%,never, ever any exceptions to
(09:17):
that rule.
I cannot stress that enough.
The gold standard forprotecting this equipment is
VPNs.
Virtual private networks.
When you when you need to sendaudio over the public internet
or access your devices remotely,you establish a VPN tunnel
(09:38):
first.
Your in-streamer at the studioand your ex-streamer at the
transmitter site need tocommunicate exclusively over
this encrypted tunnel.
What this does is make yourdevices invisible to Shodan
scans.
Attackers can't find what theycan't see.
(10:03):
Your audio path needs to stayprivate even when it's going
over the public internet.
And any remote managementhappens through that same secure
tunnel.
Bob Carr at KPOG learned thisthe hard way.
His station had the X Streamerpassword protected, which sounds
(10:25):
good, right?
But they also had portforwarding enabled for outside
access.
That's the vulnerability rightthere.
After the hack, Bob immediatelystarted planning a VPN
implementation.
Better late than never.
But it wouldn't have uh youknow, it would have been better
(10:46):
to do it before they got hit.
Now, if you can't deploy a VPNright away, Fletcher Pride
recommend recommends two interimapproaches that are, I guess,
better than nothing.
First option, remove portforwarding entirely from your uh
router.
(11:06):
When you absolutely needaccess, temporarily open the
port, do whatever you need todo, then immediately close it
again.
This at least dramaticallyreduces your exposure window.
The downside is it requiresmanual intervention every single
(11:26):
time, which, you know, is gonnaget old fast.
But it's it's it's way betterthan leaving that port open
24-7.
The second option is what hecalls the jump box approach.
You place a computer insideyour private network, running
remote viewing software, couldbe something like DW service or
(11:50):
any desk.
Then you access your localnetwork through this computer's
browser.
You get full internal networkaccess while maintaining
virtually no outside exposure.
Raspberry Pi computers areperfect for this.
They're cheap, reliable, andthey automatically recover after
a power failure.
(12:11):
You set it up once, and it justsits there waiting for you to
connect when you need it.
But here's the criticallimitation with both of these
alternatives.
Neither one works if you'reusing an in-streamer on a
private IP network, pushingcontent to an X streamer on a
(12:34):
public IP network.
That configuration requires thereceiving codec to be
discoverable, which is exactlythe vulnerability you're trying
to eliminate.
For studio the transmitterlinks over the public internet,
VPN tunnels become mandatory,not optional.
Beyond network isolation, thereare some additional hardening
(12:58):
steps you should probably bedoing.
Set 24 character passwords,minimum, on all your devices.
Never use default credentialson anything.
If you bought a piece ofequipment and it came with a
default password, change it now.
Like stop listening to thispodcast and go do it.
For secure cloud managedconnections, use it.
(13:27):
Keep all your firmware currenton the uh, you know, with the
latest security patches, anddeploy access control lists to
restrict which IP addresses caneven try to reach your devices.
Shane Tovin, he's the directorof technology at France and
Media, put it this way quoteWhile there are a small number
(13:52):
of exceptions, very seldom doesa piece of a of uh broadcast
equipment need a direct publicIP address or port forwarding
through a firewall.
The key here is using thingslike VPN tunnels and access
control list, unquote.
So, why does all of thismatter?
I mean, you know, beyond theobvious embarrassment of having
(14:15):
explicit content broadcast overyour station.
The fake emergency alert systemmessages are the real problem.
When people hear fake EASalerts, they stop trusting the
real ones.
And the EAS exists for genuineemergencies.
You know, tornadoes, flashfloods, amber alerts, all that
(14:38):
stuff.
If listeners tune out becausethey've heard a you know, a
fraudulent alert, the entiresystem breaks down.
That's a public safety issue.
But this also illustratessomething bigger.
We're living with decades oflegacy Internet of Things
devices that were never designedwith security in mind.
(15:02):
These things will remain inservice for years because
replacing them cost money thatsmall broadcasters just simply
don't have.
And when those organizationsare managing critical
infrastructure, whether that'sbroadcast stations or water
treatment plants or trafficcontrol systems, we've got a
(15:24):
problem.
The attacks they keep happeningbecause nothing fundamentally
has changed since 2016.
That was the first majordocumented barracks attack.
The FurCast incident, wherehackers played an explicit
podcast on multiple radiostations, same vulnerabilities
(15:47):
still work today.
Same Shodan searches reveal thesame types of devices, but
broadcast engineers are stillfinding out about successful
attacks only after inappropriatecontent has already aired.
Industry awareness hasdefinitely grown, and codec
(16:09):
manufacturers like TILINE nowemphasize security best
practices in theirdocumentation.
Conference presentations talkabout this kind of stuff.
There are more resourcesavailable than ever.
But awareness alone doesn'tretrofit VPNs onto small market
stations running on shoestringbudgets.
(16:31):
It doesn't replace 22-year-oldequipment that still works just
fine for audio transport, buthas security that's basically uh
Swiss cheese.
Until those 600 plus exposeddevices get properly secured or
pulled offline, more attacks aregonna happen.
(16:53):
The tools are free, the targetsare known, the vulnerabilities
persist.
The only question is when, notif.
Uh, attack, we're just kind ofthe latest in a pattern that
(17:43):
goes back nearly a decade atthis point.
If you're running thisequipment, the solution is
obvious.
VPN tunnels.
Don't expose your codecsdirectly on the internet.
Don't rely on just passwords.
Don't do port forwarding, lockeverything down behind proper
network security.
(18:04):
It's not just optional anymore,if it ever was.
I feel like I'm scoldingpeople.
But we gotta get the pointacross that in some way, this
isn't gonna go away.
The vulnerabilities are knownat this point.
The attack methods aredocumented, and the tools are
(18:26):
freely available.
The only defense is propersecurity implementation, and
that means VPNs and accesscontrols.
All right, I'll quit scoldingyou guys.
(18:47):
Thanks for listening to thisepisode of Fully Modulated.
If you found this useful, I'dreally appreciate it if you
could uh help the show grow.
Follow us on your favoritepodcast app, leave a rating and
review on Apple Podcasts orSpotify.
It actually does make a hugedifference in helping others
find the show.
Share this episode with anyonewho's still running these uh
(19:08):
ancient little broadcast tools.
Send it to your chief engineer,your station manager, anyone
who needs to hear thisinformation.
And if you're you know, if youif you've got questions,
experiences with uh I don'tknow, codex security, or just
want to share your thoughts,send me an email, Tyler at fully
modulated.com.
You can also find me on thesocial media.
(19:30):
We're at Fully Modulated onFacebook, at Fully Modulated Pod
on Instagram, and at fullymodulated.com over on Blue Sky.
Come say hi, share yourstories, let me know what topics
you want to hear about.
This has been Fully Modulated.
Stay secure out there and keepthose VPNs up and running.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Ruthie's Table 4
For more than 30 years The River Cafe in London, has been the home-from-home of artists, architects, designers, actors, collectors, writers, activists, and politicians. Michael Caine, Glenn Close, JJ Abrams, Steve McQueen, Victoria and David Beckham, and Lily Allen, are just some of the people who love to call The River Cafe home. On River Cafe Table 4, Rogers sits down with her customers—who have become friends—to talk about food memories. Table 4 explores how food impacts every aspect of our lives. “Foods is politics, food is cultural, food is how you express love, food is about your heritage, it defines who you and who you want to be,” says Rogers. Each week, Rogers invites her guest to reminisce about family suppers and first dates, what they cook, how they eat when performing, the restaurants they choose, and what food they seek when they need comfort. And to punctuate each episode of Table 4, guests such as Ralph Fiennes, Emily Blunt, and Alfonso Cuarón, read their favourite recipe from one of the best-selling River Cafe cookbooks. Table 4 itself, is situated near The River Cafe’s open kitchen, close to the bright pink wood-fired oven and next to the glossy yellow pass, where Ruthie oversees the restaurant. You are invited to take a seat at this intimate table and join the conversation. For more information, recipes, and ingredients, go to https://shoptherivercafe.co.uk/ Web: https://rivercafe.co.uk/ Instagram: www.instagram.com/therivercafelondon/ Facebook: https://en-gb.facebook.com/therivercafelondon/ For more podcasts from iHeartRadio, visit the iheartradio app, apple podcasts, or wherever you listen to your favorite shows. Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com