FCC Warning on Radio Station Hijacks via Emergency Alert System Exploitation
Malicious actors have exploited unsecured US radio transmission equipment to hijack broadcasts, injecting profanity-laden and offensive content by abusing the Emergency Alert System (EAS) tones. The Federal Communications Commission (FCC) issued a warning after a series of incidents in Texas and Virginia, where attackers targeted Barix network audio devices, reconfiguring them to stream attacker-controlled audio that included simulated or real EAS alert tones followed by explicit material. Some stations, such as HTX Media in Houston, confirmed their broadcasts were overtaken, with listeners reporting repeated emergency tones and vulgar tracks during live programming.
The FCC attributed these intrusions to unsecured studio-to-transmitter links and default or weak device configurations, allowing unauthorized access to critical broadcast infrastructure. In response, the FCC published a checklist of best practices for broadcasters, urging immediate firmware updates, replacement of default passwords, network segmentation, and vigilant monitoring of equipment logs. The agency also referenced prior guidance and encouraged direct engagement with equipment manufacturers to ensure robust security measures are in place, particularly for Barix hardware commonly used in the affected systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
107.7 The Bay in Michigan reportedly hijacked on air
A reported April 5, 2026 hijack affected 107.7 The Bay in Alpena, Michigan, where listeners allegedly heard sped-up Disney music, fake alert-style audio, and then silence. The incident was presented as another example of ongoing exploitation of weaknesses in radio broadcast transmission chains.
FCC warns that hackers are hijacking radio equipment for false alerts
The US Federal Communications Commission issued a public warning that attackers were compromising radio broadcast equipment and triggering false emergency alert tones and messages. Reports said some hijacked broadcasts included obscene or disruptive audio, prompting the FCC to sound the alarm to affected operators.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
A string of radio hijacks exposes a deeper broadcast weakness - DataBreaches.Net
databreaches.net
Open sourceFCC sounds alarm after emergency tones turned into potty-mouthed radio takeover
go.theregister.com
Open sourceFCC Warns of Hackers Hijacking Radio Equipment For False Alerts
infosecurity-magazine.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unpatched IDC SFX2100 Satellite Receiver Vulnerabilities Expose Critical Infrastructure to Remote Compromise
A security researcher publicly disclosed **20+ vulnerabilities** in the **International Data Casting (IDC) SFX2100 satellite receiver**, a device reported as deployed across **U.S. Department of Defense**, **European Space Agency**, and other critical infrastructure environments, after the vendor allegedly failed to respond to repeated disclosure attempts over several months. Reported issues span common embedded-device failure modes including **hardcoded credentials**, **unauthenticated remote code execution**, **OS command injection**, **path traversal**, and overly permissive filesystem configurations, with CVEs assigned across **CVE-2026-28769 through CVE-2026-29128**. One highlighted high-impact issue, **CVE-2026-28775**, reportedly enables **unauthenticated command execution as `root`** by abusing **SNMP** management functionality combined with a default read-write community string of `private`. Additional detail on the credential exposure risk is captured in **CVE-2026-29128**, which describes **world-readable routing daemon configuration files** (e.g., `zebra.conf`, `bgpd.conf`, `ospfd.conf`, `ripd.conf`) that are root-owned but readable by all users and contain **plaintext/hardcoded passwords** (including privileged “enable” credentials). This condition can enable credential reuse and lateral movement, potentially helping an attacker establish or deepen access within networks where the SFX2100 is deployed, and it compounds other reported weaknesses such as undocumented default accounts (e.g., `admin`, `monitor`, `user`, `xd`) allegedly sharing a weak password (`12345`).
Mar 21, 2026
CISA ICS advisories flag critical missing-authentication flaws in industrial and broadcast devices
CISA published ICS advisories warning of **critical “missing authentication for critical function”** weaknesses (CWE-306) that expose device management/control interfaces to unauthenticated access. **Synectix LAN 232 TRIO** (3-port serial-to-Ethernet adapter) is affected in **all versions** under **CVE-2026-1633** with **CVSS 3.1 10.0**, enabling unauthenticated attackers to **modify critical device settings** or **factory reset** the device. **Avation Light Engine Pro** is also affected in **all versions** under **CVE-2026-1341** with **CVSS 3.1 9.8**, allowing an attacker to **take full control** of the device due to an exposed configuration/control interface without authentication. Separate reporting highlighted a similar CISA alert for **KiloView Encoder Series** devices, tracked as **CVE-2026-1453** with **CVSS 9.8**, where missing authentication allows unauthenticated users to perform administrative actions such as **creating or deleting administrator accounts**, potentially granting full administrative control and enabling disruption or hijacking of broadcast/streaming workflows. The KiloView issue was described as affecting multiple Encoder Series models and specific firmware/hardware combinations (e.g., E1/E1-s/E2 with listed firmware versions), reinforcing the broader risk of internet- or enterprise-exposed device management planes lacking access control.
Mar 21, 2026
Crosswalk Audio Systems Hijacked Through Default Passwords
Attackers compromised Bluetooth-enabled pedestrian crosswalk buttons in multiple US cities, replacing standard walk prompts with unauthorized political and celebrity-impersonation audio. Roughly 20 intersections in Silicon Valley, including Menlo Park, Redwood City, and Palo Alto, were affected, while similar incidents were later reported in Seattle and Denver. In Denver, two newly installed crosswalks were altered to broadcast anti-Trump messages instead of normal pedestrian instructions. Reporting indicates the intrusions were enabled by weak or factory-default credentials on Polara Enterprises devices, including the widely cited default password `1234`, combined with a publicly available configuration app. City officials in Denver changed passwords after the incident and police opened investigations, but authorities in other cases were unable to identify the perpetrator because the devices did not log audio uploads and surveillance footage provided little value. The incidents have intensified scrutiny of cybersecurity requirements for public infrastructure used by visually impaired pedestrians and exposed gaps in municipal oversight of connected safety systems.
Apr 13, 2026