Tech

Someone Hacked a Billboard in Atlanta to Display Goatse

Atlanta’s affluent Buckhead neighborhood is a great place to shop, eat, and, last weekend, it was a great place to spot a man bent over stretching his asshole far beyond what could possibly be healthy.

Hackers took over a video billboard in the neighborhood and replaced it the most infamous image from Goatse, one of the internet’s original shock sites (Image here, if you must see it). Specific details about how the hackers hijacked the billboard haven’t come out yet, but one security researcher says that he warned the company that owns and operates the billboard that many of its signs are vulnerable.

Videos by VICE

Dan Tentler is a well-respected security researcher who works for Carbon Dynamics, a security firm. Thursday, he tweeted that he had been in contact with the company that owns the billboard and was told thanks but no thanks.

“I wanted to let you guys know that your customers are deploying these signs and not changing the default passwords, which, if an actual bad guy found this out, could lead to some unwanted tinkering with the signs, possibly some defacement,” Tentler wrote in an email send in April to the company.

“It would probably be a good idea to do one or more of the following: Contact the owners of the signs, ask them politely to apply some firewall rules … reconfigure the security posture of the signs … at least notify the customers that there is a potential security risk,” he continued.

Tentler would not tell Motherboard the name of the company or provide additional details, because he is planning a formal paper and talk on the subject that will likely be presented at DEF CON, an annual security conference held in August.

Tentler said he followed up with the company one day before the billboard was hacked, telling the company that it was a “fairly significant find.”

“Not interested but thank you for the follow up,” a network engineer at the company responded.

Tentler is a well-respected researcher and isn’t a suspect in the hacking, which is currently being investigated by the FBI. Local media reported that a group called the “Assange Shuffle Collective” took responsibility for the hack in a now-deleted post on Reddit. The Assange Shuffle Collective isn’t a group we’ve ever heard of or seen before, and the poster provided no proof that he or she had anything to do with the hack, so take those reports with a grain of salt.

In a sense, the “who” doesn’t even really matter. As we’ve seen time and time again, devices that make up the Internet of Things often don’t have even basic security features that you see on PCs and smartphones. Pushing software updates to IoT devices is often difficult, which is why the Heartbleed vulnerability found last year is expected to persist in the IoT for a very, very long time.

Beyond that, we’ve seen wind turbines, billboards, and other internet-connected devices deploy a “security-by-obscurity” strategy (if you can call it that). The people running these things don’t see them as potential targets, so they rarely change usernames or passwords; instead, they hope that no one will ever find out the device’s IP address.

If you know where to find their control software or know the IP address, you can log into them using usernames such as “Admin” and passwords such as “default.” (We see this problem with signs that aren’t connected to the internet, too)

In this case, Tentler says that the affected billboard is still online and that the security hole still hasn’t been fixed. With security like that, I’d expect to be seeing a lot more defacement, all over the country.