A story about a radio station feed being hijacked popped up in my Facebook feed today, and it immediately felt familiar. Not because this kind of thing is common, exactly, but because it is no longer unusual.
I have been hesitant to make too much of these incidents. One station gets strange audio, another airs fake alert-style tones, a clip circulates online, and the whole thing risks sounding more like prank culture than a serious security issue. Even after the FCC warned in November about a recent string of intrusions tied to exposed broadcast audio equipment, it was easy to treat each new episode as a one-off. No single incident, by itself, looked like a major operational disruption. Taken together, though, they are starting to look less like isolated stunts and more like a persistent weakness in the broadcast chain.
That is what caught my attention about the reported hijack of 107.7 The Bay in Michigan. A Facebook post circulating Monday said the Alpena-licensed station was hijacked around 6 p.m. on April 5, with listeners hearing sped-up Disney music, fake alert-style audio and then silence. I was able to confirm the post and the station’s identity through FCC records, though not the exact timeline, duration or method of the intrusion.
Even with those caveats, the larger pattern is no longer speculative. In a Nov. 26 public notice, the FCC said it had seen a “recent string” of cyber intrusions against radio broadcasters in which attackers hijacked studio-to-transmitter links and aired obscene material along with actual or simulated Emergency Alert System tones. The agency said threat actors were often accessing improperly secured Barix equipment and reconfiguring it to carry attacker-controlled audio instead of station programming.
What makes the Barix angle unsettling is how mundane it is. This does not look like some dazzling new exploit. It looks like the kind of preventable IT failure that shows up everywhere: a box exposed to the internet, weak credentials, sloppy deployment, and nobody thinking too hard about it because it is “just” a piece of broadcast gear. Except this is not just a router in a back office. It is equipment that can put attacker-controlled audio onto a licensed radio signal.
That is when the story stops being funny. A station gets hijacked, strange audio goes out over the air, a clip bounces around online, and it is easy to file the whole thing under internet-age weirdness. But when regulators are warning that the same kind of exposed audio gear keeps turning up in these incidents, the pattern starts to look a lot less like prank culture and a lot more like neglected infrastructure.
The strongest recent example came in Houston. ESPN 97.5 KFNC was hacked during a live NFL broadcast in November, and station management said the problem surfaced while the outlet was relying on backup transmission equipment after a power outage. Radio Ink reported that general manager Todd Farquharson said the attackers exploited the backup Barix setup, and the FCC later cited that Texas incident as part of the basis for its warning.
Days earlier, a similar incident hit Radio IQ in the Richmond area. The station said its backup audio signal was hacked on Nov. 19 and carried unauthorized material over 89.7 FM after silence triggered the backup feed. Radio World later reported that the compromised device was a Barix Exstreamer 100 on the backup path.
Smaller-market stations have described the same kind of problem. Radio World reported that KPOG-LP in Des Moines aired obscene lyrics and a false Emergency Alert System message in September after its Barix Exstreamer was accessed and its password changed, forcing a factory reset. The same report said KRLL in California, Missouri, was hit twice in one week during the Labor Day period.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
What elevates all of this above station gossip is the public-safety angle. The FCC has warned that misuse of actual or simulated EAS attention signals can erode trust in emergency alerts, and it has reminded broadcasters that they must notify the commission within 24 hours after discovering a false EAS tone transmission. Reuters, summarizing the FCC action, said the agency specifically tied recent Texas and Virginia incidents to unsecured Barix gear.
I remember attending a DEF CON talk in 2008 about the Emergency Alert System and the odd risks that emerge when broadcasters trust what they hear from upstream sources. At the time, it felt like one of those unsettling but remote warnings about a brittle piece of legacy infrastructure.
What stuck with me was the basic premise. EAS was built around a broadcast daisy chain, with stations monitoring designated upstream sources and relaying valid alert data onward. The danger was never just a fake message on one signal. It was the possibility of downstream equipment reacting to it. Matt “DCFLuX” Krick’s talk, “Flux on: EAS,” framed the tones and header data not as mere sounds, but as operational signaling inside a system designed to trust what it heard from approved sources.
Re-reading the slides now, what stands out is how concrete Krick’s argument already was. He walked through EAS as a live operational system: how the headers worked, how stations monitored designated upstream sources, and how state and local plans governed what got relayed. That was not just true in 2008. The underlying relay logic is still part of the system now.
That trust model exists for a reason. It comes out of a Cold War civil-defense mindset, when the urgent problem was how to get a presidential warning or attack notice onto the air quickly and keep it moving through the broadcast network. It was built for resilience and reach, not for a world of internet-exposed devices and modern cyber abuse. That history still lingers in the architecture.
I reached out to Krick after I went looking for that old presentation and came up empty. His description of the modern internet-facing side of broadcast infrastructure sounded a lot like every other exposed online service: constant scanning, constant probing, constant noise from would-be intruders. He told me it is getting “real bad with port scanning and stuff like that.” When he recently put a new audio streaming server online for his stations, he said, it logged about 90 login attempts on the first day before he had even advertised the new IP address.
That is what makes the Barix issue feel bigger than a string of on-air pranks. A compromised Barix could open a modern path into a much older trust system. Once an attacker can control what goes out over a licensed signal, the danger is no longer just a few minutes of chaos on the air. It is the possibility that other parts of the broadcast chain might still respond to that signal in ways they were never designed to defend. That does not mean every compromise would trigger a wider relay effect. But it does mean the old weakness no longer feels purely theoretical.
Barix and industry outlets have framed the problem as one of insecure deployment, not some newly discovered universal flaw in the hardware itself. Radio World reported that Barix told users some receiver devices had been exposed directly to the public internet with weak or no password protection, and a Barix executive separately said those devices should never be fully exposed online. That distinction matters. This appears to be, at least in large part, a story about poor security hygiene around critical broadcast-path equipment.
And that is the real issue now. If attackers can get into the audio chain at will, and if parts of the broadcast ecosystem still inherit trust assumptions from an earlier era, how long before someone tries something more ambitious than a prank?
