How I hacked ALL shows in my highschool district to play Rick Astley

Disclaimer: This publish is for instructional functions solely. Don’t carry out related actions with out specific permission.

On April thirtieth, 2021, I rickrolled my highschool district. Not simply my college however the entirety of Township Excessive College District 214. It’s the second-largest highschool district in Illinois, consisting of 6 totally different colleges with over 11,000 enrolled college students.

This story isn’t a type of typical rickrolls the place college students sneak Rick Astley into shows, expertise exhibits, or Zoom calls. I did it by hijacking each networked show in each college to broadcast “By no means Gonna Give You Up” in excellent synchronization. Whether or not it was a TV in a corridor, a projector in a classroom, or a jumbotron displaying the lunch menu, so long as it was networked, I hacked it!

On this publish, I’ll be explaining how I did it and the way I evaded detection, in addition to the aftermath once I revealed myself and didn’t get into hassle.

The Large Rick

Earlier than we get began, right here’s some footage of the entire thing:

We ready full documentation of every part we did, together with suggestions to remediate the vulnerabilities we found. We went a complete 26-page penetration take a look at report back to the D214 tech group and labored with them to assist safe their community.

With that mentioned, what we did was very unlawful, and different administrations might have pressed prices. We’re grateful that the D214 administration was so understanding.

Preliminary entry

This story begins with my freshman yr when I didn’t have a lot technical self-discipline — a time that I can solely describe as the start of my script kiddie section. I didn’t perceive fundamental ethics or accountable disclosure and jumped at each alternative to interrupt one thing.

So clearly, I turned curious in regards to the expertise at my highschool. And by “curious,” I imply port scanning your entire IP vary of the inner district community.

I had a couple of associates assist out with this undertaking — and oh boy, did we scan! Our scanning generated a lot site visitors that our college’s expertise supervisor caught wind of it and got here in at one level to ask us to cease. In fact, we did so instantly, however by then, we had completed scanning the primary half of the district’s 10.0.0.0/8 deal with house — a complete of 8,388,606 IPs.

From the outcomes, we discovered varied units uncovered on the district community. These included printers, IP telephones… and even safety cameras with none password authentication.