Hackers Hijack the Airwaves: How Bad Actors Are Using Radio Gear to Broadcast Fake Signals — Are You Vulnerable?

Broadcasters and telcos have been given an unpleasant wake‑up call: attackers are now hijacking radio equipment to transmit fake signals, and the US Federal Communications Commission (FCC) has issued an urgent warning to the industry. If you thought rogue frequencies were only the stuff of late‑night conspiracy forums, think again — this is real, present and noisy risk to the airwaves and the services that rely on them.

What happened and why it matters

The FCC alert follows a string of incidents in which threat actors gained access to radio gear and used it to inject fraudulent transmissions. At the same time, security researchers are reporting increasingly sophisticated campaigns aimed at telecommunications and media companies to deploy malicious payloads and establish persistent access. Together, these trends demonstrate attackers are targeting both the physical signalling layer and the IT/web layers that support modern broadcasting.

Attack vectors: from radio firmware to WordPress plugins

This campaign is a reminder that the attack surface is broad. The supplied intelligence highlights two parallel threats:

• Compromise of broadcast/telecommunications kit — leading to unauthorised signals and potential disruption to public communications.
• Exploitation of widely used web components in the media ecosystem — for example, high‑severity vulnerabilities in WordPress themes and plugins that could allow arbitrary uploads, privilege escalation or administrative takeover.

Notable issues called out in the briefing include the Blubrry PowerPress arbitrary file upload flaw (CVE‑2025‑13536) and several critical vulnerabilities in themes and membership plugins that could allow unauthenticated attackers to gain administrator access. Attackers chaining network‑level compromises with web‑application weaknesses can quickly move from nuisance transmissions to full platform compromise — rather like getting into the studio and nicking the playlist, then broadcasting the chaos live.

Real‑world fallout

We’ve already seen municipalities and public services disrupted by knock‑on cyber incidents, from London councils rolling out emergency plans to notification services suffering ransomware and data breaches. When the media and public safety systems that citizens rely on are impacted, the consequences are more than embarrassing — they can be dangerous. This is where business continuity and resilient communications matter as much as perimeter defences.

Why media and telecoms are attractive targets

1. High visibility: disrupting a broadcaster or council service makes headlines and spreads alarm quickly.
2. Complex ecosystems: legacy broadcast kit, bespoke broadcast‑IT integrations and third‑party web components create many opportunities for attackers.
3. Potential for persistence: once on a network, attackers can deploy command‑and‑control channels and lateral movement tools that are hard to eradicate.

Practical actions for UK organisations (short, sharp and sensible)

Organisations don’t need to panic — they need to act. Recommended steps include:

• Patch and harden quickly: apply vendor patches for broadcasting equipment and address known web vulnerabilities (for example, update vulnerable WordPress plugins and themes listed in the advisory).
• Harden access to management interfaces: enable strong authentication, network segmentation and access controls for radio and network‑management consoles.
• Increase telemetry and detection: monitor for anomalous signalling, unexpected uploads, or new administrative accounts and be ready to investigate fast.
• Run tabletop exercises and update continuity plans — communications outages must be rehearsed, not just hoped away; see ISO 22301 for business continuity guidance.
• Raise staff awareness: a large proportion of web platform compromises start with weak credentials or social engineering — security awareness training remains one of the best value defences.

Helpful resources: Synergos teams often reference frameworks such as ISO 27001 for information security controls, Cyber Essentials for baseline cyber hygiene, and ISO 22301 for continuity planning. For human factors, consider targeted security awareness training.

How Synergos views the risk (without the hard sell)

At Synergos, we’ve been watching a clear pivot: attackers are combining traditional network‑level intrusion techniques with opportunistic exploitation of web‑facing components. That hybrid approach increases both the speed and impact of incidents. Practical resilience therefore demands both technical remediation (patching, network controls, monitoring) and organisational measures (incident playbooks, supplier assurance, staff training). Put simply: lock the back door, check the locks on the front door, and make sure the fire alarm actually works.

Quick checklist for IT and security teams

• Audit broadcast and telecom management interfaces and restrict network access to those consoles.
• Prioritise patching for high‑severity CVEs affecting media platforms and developer tools mentioned in recent advisories.
• Conduct a permissions review on CMS platforms to remove unneeded Contributor/Author capabilities.
• Test business continuity plans for communications failure scenarios and validate public notifications fallback.

It’s tempting to think of radio‑equipment attacks as esoteric — the sort of thing only a Bond villain would bother with — but the reality is more mundane and more dangerous: flawed firmware, misconfigured management interfaces and unpatched web components make it straightforward for opportunistic criminals to cause real disruption.

Stay noisy about security: keep telemetry on, patch ruthlessly, and exercise your plans — because when the airwaves go rogue, you want your organisation to be the one telling the story, not starring in it.