At 10:55 am on April 30, 2021, all the TV screens and classroom projectors at six schools in Cook County, Illinois, started controlling themselves. Screens that were turned off powered up. Projectors that were already on automatically switched to the HDMI input. “Please standby for an important announcement,” read a message that flashed up on the displays. A five-minute timer, counting down to zero, sat under the ominous message.
A teacher in one classroom tried to turn the projector off using the infrared remote, but it was useless. “They overtook our projector,” the teacher, caught on video, told students. The group speculated that it could be a message from President Joe Biden, failing that, “big brother.” The same scene was repeating itself across dozens of classrooms in Illinois’ school district 214—home to 12,000 students. In classrooms and hallways, more than 500 screens displayed the countdown. The system had been hijacked.
Tucked in the corner of one classroom was Minh Duong, a senior on the verge of graduating. Duong sat pouring over his laptop, chatting with three other friends—Shapes, Jimmy, and Green—on encrypted messenger Element, making sure the last of his custom code executed correctly. As the countdown hit zero, a grainy, gyrating Rick Astley burst into the first notes of “Never Gonna Give You Up.”
“I was walking down the hallway, and everyone was kind of laughing—it was kind of fun to watch,” Duong, who also goes by the moniker WhiteHoodHacker, tells WIRED. Later that day, at 2:05 pm, Duong and his friends took over the schools’ PA systems and played the song one last time.
The elaborate high school graduation prank—dubbed The Big Rick by its architects—was one of the largest rickrolls to ever take place, taking months of planning to pull off. “I was actually extremely hesitant about doing the entire district,” Duong says.
During the process, the group broke into the school’s IT systems, repurposed software used to monitor students’ computers, discovered a new vulnerability (and reported it), wrote their own scripts, secretly tested their system at night, and managed to avoid detection in the school’s network. Many of the techniques were not sophisticated, but they were pretty much all illegal.
Minh Duong started hacking his school during his freshman year when he was about 14. “I didn't understand basic ethics or responsible disclosure and jumped at every opportunity to break something,” he writes in a blog post describing the rickroll. (Duong recently presented the Big Rick at the Def Con hacker conference, where he revealed new details about the incident.) During his freshman year, using a computer in a cupboard next to the IT classroom, he started scanning the school’s internal network, looking for connected devices and ultimately laying the groundwork for the rickroll years later.
Duong, now 19, says he was able to access internet-connected security cameras throughout the school, posting a picture of himself in his eventual blog post. (He says the issue was reported, and access was shut down—and he was caught and told to stop scanning the school’s network.)
The Big Rick involved three key components, two of which were originally accessed in Duong’s early high school years. First, he acquired a teacher’s version of LanSchool, a “classroom management” software that can track everything students do, including monitor students’ screens and log keystrokes. They used the software to run scans and exploit the systems while making them appear as if they were in one of the district’s other schools.
Next, he had access to the school’s IPTV system, which controls hundreds of projectors and TVs across the district. When the pandemic struck, Duong says, he mostly forgot about the access to the systems, which he had scanned years earlier, and the school didn’t go back to in-person learning until the end of his senior year. That’s when he decided to do the rickroll, which he says he picked because teachers would likely get the joke.
Duong and his three friends managed to get some access to the projectors and TVs using default usernames and passwords, which hadn’t been changed. The system has receivers that directly connect to projectors and displays, encoders that broadcast video, and servers that allow products to be managed centrally by administrators.
However, Duong decided sending out the rickroll using the servers would be too risky. “Every time you make a request, it’s going to send a lot of requests to all the projectors,” Duong explains. “That’s going to generate a lot of traffic. That’s going to make things very detectable.”
Instead, he created a script to act as a payload, which could be uploaded to each receiver ahead of the rickroll. During the month before the Big Rick, the group sent the script to each of the media players in several batches, reducing the chances of school admins detecting them. He tested the streaming setup at night, so as not to disrupt classes. Duong says he would remotely connect to one PC in the school’s computer lab, which he remotely accessed through the computer club. “I would record a video to test if the projector displayed the stream correctly,” he says, posting a video of the setup.
The group also built out the system—running it on a loop—to avoid teachers turning it off on the day of the rickroll. “Every 10 seconds, the display would power on and set the maximum volume,” Duong wrote in the blog post. The only real way for teachers to disable the stream would be to change the input source from HDMI on the projectors or pull the power cable. “Then we disable infrared remotes,” he says, in case teachers tried to use them to stop the videostream. There was also a failsafe: A few seconds before Astley was unleashed, the projectors were reset to play the correct feed.
Three days before the rickroll, with most of the setup prepared, the group had a breakthrough. While scanning the district network (again) they found EPIC, the Education Paging and Intercom Communications system—the prank’s third component. This controls the hallway and classroom speakers and is used for teacher announcements, fire alarms, and end-of-lesson bells. It can also play custom audio tracks.
Like the IPTV system, the group tried to access EPIC using default usernames and passwords. “It's not really like a sophisticated attack,” Duong says. “The whole thing is script kiddies using default passwords and doing random stuff there.” But the defaults didn’t work.
“I GOT THE PASSWORD TO THE PPA SYSTEM,” Shapes messaged the group on April 29. Yes, the default had been changed—to a password example given in the user manual, which was available online. From here, the team discovered another admin account—the password was password—that could allow them to access the entire district’s speakers.
The night before the Big Rick, the speaker system was set to automatically trigger in the afternoon.
While the Big Rick was always intended as a high school prank—Duong says other pranks last year included students toilet-papering some trees—the hacking was very likely to be outside the law. The students accessed networks they weren’t supposed to—a lawyer might call it “unauthorized access” under the Computer Fraud and Abuse Act. And a malicious hacker could have stolen data, moved through the systems, or used the access to try to cause harm. “I totally was expecting they would get the police in,” Duong says, adding things were “pretty scary” for a bit.
Knowing the risk, the four students involved were keen to show they hadn’t accessed the school’s equipment for anything more than a prank. When the rickroll ended, their script reset the systems to their original state. The only thing they couldn’t do, Duong says, was to make sure that projectors that had been off turned back off. All told, it was a success.
“Definitely the teachers found it very funny,” Duong says. One tweeted: “😂😂😂 Very clever, seniors!” Duong says the only complaint he heard was that Astley was too loud. “Which is fair, because I set the volume to max.” But it wasn’t only the teachers’ response that had the group worried.
“The thing that really prevented us from being in trouble is the report that we sent,” Duong says. Ahead of the rickroll, the team wrote up a 26-page report, which was sent to the admins straight after the incident, that detailed what they had done and provided security suggestions.
The report—Duong shared a redacted version with WIRED—says the group had a set of guidelines. It says they would not do anything that could harm the safety of others; would look to keep any disruption to learning at a minimum (they picked a Friday near the end of term, right at the end of a period); would not access sensitive private information; would not leave systems weaker than they found them; and all the decisions would be made together as a group. Their report also explained what school administrators could do to stop this from happening again—for instance, changing all default passwords.
A couple of weeks later, the school replied. “Because of your strict guidelines and openness to share the information, we will not be pursuing discipline,” an email from the district’s director of technology says. Duong shared the email as part of his talk at Def Con.
A spokesperson for the D214 school district tells WIRED they can confirm the events in Duong’s blog post happened. They say the district does not condone hacking and the “incident highlights the importance of the extensive cybersecurity learning opportunities the District offers to students.”
“The District views this incident as a penetration test, and the students involved presented the data in a professional manner,” the spokesperson says, adding that its tech team has made changes to avoid anything similar happening again in the future.
The school also invited the students to a debrief, asking them to explain what they had done. “We were kind of scared at the idea of doing the debrief because we have to join a Zoom call, potentially with personally identifiable information,” Duong says. Eventually, he decided to use his real name, while other members created anonymous accounts. During the call, Duong says, they talked through the hack and he provided more details on ways the school could secure its system.
Duong, who is now studying computer science at the University of Illinois at Urbana-Champaign, insists the rickroll was just a high school prank, not a wider message on the state of his school’s security. (In recent months, cybersecurity agencies have warned against schools being hit, and some have suffered from ransomware attacks.)
“It was meant to be something that’s fun, and not super serious, or have some sort of message about the state of our school’s security,” he says. In several places during his blog post and Def Con talk, Duong reiterates he could have faced trouble. “I definitely cannot tell anyone to do something like this,” he says. “Because it really is illegal. I was just a lucky case.”
