The Max Headroom Signal Hijack

On November 22nd, 1987, a hacker took over the signals of two Chicago-area TV stations and broadcast two bizarre and somewhat vulgar messages. In this episode we explore this notorious hack, and its implications on the nature of hacking in general.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Sam Curry

Chief Security Office at Cybereason

Experienced Senior Security Executive with a demonstrated history of working in the computer and network security industry: product, engineering, security experience. Extensive publications and patents, big company and entrepreneurial track record. Multiple awards from industry, public sector and academic institutions. Personal mission to fulfill the obligation of security to the world.

The Max Headroom Signal Hijack

FIRST INTRUSION

Hi, I’m Ran Levi. Welcome back to Malicious Life, in collaboration with Cybereason.

Today’s story begins on November 22nd, 1987, at 9:14 p.m. Channel 9 is running its 9 o’clock news hour. Sports anchor Dan Roan is reviewing an easy 30-to-10 win of the 8-and-2 Chicago Bears over their hapless rivals, the 2-and-8 Detroit Lions. Onscreen, Lions quarterback Chuck Long drops back into the pocket. Bears lineman Richard Dent comes rushing around his blocker, and opens his arms wide, heading straight for Long. He’s about to crush this poor quarterback when suddenly, without warning, the signal cuts out.

The screen is black for thousands of Chicago homes. In the WGN-TV control room in the north of the city, technicians are baffled. They scramble.

After 15 seconds, a low-quality video appears on screen. It’s somebody in a tan suit, wearing sunglasses over a mask of “Max Headroom” – a fictional AI character from an 80’s T.V series. They’re sitting in front of a slab of corrugated metal spinning one way then the other, back and forth, hypnotically. They’re nodding at the camera, maybe laughing, or trying to say something. A loud, grating buzzing noise is all that can be heard.

Then the feed goes black again. Station engineers, panicking, manage to shift their broadcast frequency. After 28 seconds off air, the 9:00 news finally comes back on.

“Well, if you’re wondering what’s happened, so am I,” the anchor replies, giggling, a bit flustered. “Actually, the computer that we have running our news from time to time took off and went wild. So what we’re gonna do is start over from the top.”

The show continues, as technicians behind the camera and at the studio, and tens of thousands of Chicago-area viewers, are left trying to figure out what the heck just happened.

HOW TO HIJACK A TV SIGNAL

Depending on the target, hacking a website can be almost as cheap as starting one. It is because the internet is so free and open that the barriers to break it can often be so low.

Television, on the other hand, is a highly-controlled, centralized business. You and I can’t simply go out and start a television station like we could start a website–the technological, regulatory and financial barriers to doing so are simply too high.

For example: WGN-TV studios were located in the north of Chicago’s metro area. They broadcast their signal about seven miles to an antenna atop the John Hancock building–a 100-story skyscraper in the very heart of the city–where every day, 24 hours a day, it beamed to tens of thousands of homes in the area. In other words, this was not trivial machinery.

Logically you might assume that hacking a television station of such scale–with all the expensive infrastructure used to support it–would be highly costly and difficult. This is what experts had assumed, too. It’s part of the reason why, immediately following the breach, WGN employees scoured the building for a malicious insider, assuming that only someone with direct access to their tech could’ve pulled off such a feat. But no such insider was found.

How could this be? Well, there were one of two possible answers. Either, a) the insider managed to perfectly cover their tracks, or b) hacking a television station like WGN wasn’t as difficult as experts assumed it was.

“[Sam Curry] My name is Sam Curry. I’m chief security officer for cyber reason and a visiting fellow at the national security Institute.”

Sam was interviewed by Nate Nelson, our senior producer.

“[Nate Nelson] how does one go about hijacking a television station?
[Sam Curry] Well, I guess the first thing you have to do is figure out what population you want to go after. Yeah. Especially if it’s geographically bounded and how do they get access to signal. Is a cable, is it over IP? Does it make sense to try to get one of the points at which the branchs fork in the distribution of the signal and try to hijack that and become the source of authority?”

HISTORY OF HIJACKING

Nearly one decade to the day before the Max Headroom hack, a transmitter in the south of England was hacked during an early-evening news program. The picture kept running while the audio cut out, and was replaced by a strange message…

“This is the voice of Vrillon, a representative of the Ashtar Galactic Command, speaking to you. For many years you have seen us as lights in the skies. We speak to you now in peace and wisdom as we have done to your brothers and sisters all over this, your planet Earth. [. . .] Be still now and listen, for your chance may not come again. All your weapons of evil must be removed. The time for conflict is now past and the race of which you are a part may proceed to the higher stages of its evolution if you show yourselves worthy to do this. You have but a short time to learn to live together in peace and goodwill. [. . .] We are deeply concerned about you and your path towards the light and will do all we can to help you. Have no fear, seek only to know yourselves, and live in harmony with the ways of your planet Earth. We here at the Ashtar Galactic Command thank you for your attention. We are now leaving the planes of your existence. May you be blessed by the supreme love and truth of the cosmos.”

It’s unclear from where in space Vrillon delivered their warning to the human race. A few viewers found the matter quite serious, but the majority did not. Some cited the rather odd choice of North Hampshire, England, as the location for an alien to broadcast their Earth-saving message. Others noted that the alien had a suspiciously British accent…

What made Vrillon’s job rather easy was that the ultra-high frequency transmitter broadcasting that television channel was uniquely vulnerable. Rather than being connected to a landline, it broadcasted a signal received from another transmitter fifty miles away. If you’ve listened to our episode on the Marconi Affair, you’ll have some idea of the ease with which such long-distance signals can be manipulated. Even an ordinary transmitter, placed close enough to the antenna, could have overpowered the signal.

That isn’t to say it was easy for Vrillon to hack the news, but that television in general–which we don’t tend to think of as hackable–is still vulnerable to capable attackers and/or aliens. In fact, even highly-valuable, highly-guarded television channels can be cracked.

HBO’s satellite signal was jammed for nearly five minutes just after midnight on April 27th, 1986, when a hacker published the following message on screen, quote: “Good evening HBO. From Captain Midnight. $12.95 per month? No way! Showtime, Movie Channel beware!” End quote. The message stayed up for almost five minutes, just after midnight Eastern Standard Time.

My personal favorite television hack occurred on September 6th, 1987, when somebody jammed the satellite signal for the Playboy channel. In place of its X-rated programming, a message was posted on screen, quote: “Thus sayeth the Lord thy God. Remember the Sabbath and keep it holy. Repent for the kingdom of Heaven is at hand.” Now I don’t know about you, but if I were one of those people watching Playboy that day, and out of nowhere the sexy, nude women on T.V. were inexplicably, mysteriously cut off by the word of God…well, I’d probably get to my knees and start repenting my sins right there and then.

THE 2nd INTRUSION

Two and a half months after the Playboy intrusion, the Max Headroom hacker breached Channel 9 in Chicago. Theirs was the most serious attack of them all–not petty like Captain Midnight, not well-intentioned like the Playboy hacker, but bizarre, creepy. By the time it stopped, and the Nine O’Clock News returned, viewers around the Chicago area were stunned, even a little terrified.

And it wasn’t over, either. Later in the night, an airing of Doctor Who on WTTW Channel 11 cut out at around 11:15 p.m. Max was back. He makes an insulate against a local TV sportscaster, holds up a can of Pepsi and gives the camera the middle finger.  The video cuts to a new angle. The hacker sticks out his bare ass, as a woman spanks him with a fly swatter. After a minute and a half, the channel returned to Doctor Who.

WTTW’s signal broadcast to an antenna atop the 110-story Willis Tower–a building roughly as tall as the World Trade Center buildings. At 11:15, no engineers were at the Willis Tower station. According to WTTW, technicians in their home studio did what they could, but all their attempts to boot the intruder failed. They were utterly helpless. Really, they were lucky the breach lasted only 82 seconds. If it had been ten minutes it might not have been stopped, either.

The day after the Max Headroom intrusions, Chicago was left to figure out what to make of them. Some people were angry. Some found it funny. Many were confused. Nobody knew who the hacker was, or where they came from.

ATTRIBUTION

“[Nate Neslson] cybersecurity professionals have all kinds of methods and tools for tracking down online hackers. Can you think of any methods or tools that might be useful in tracking down a television hacker?
[Sam Curry] Oh, physics. Physics is your ally there, you know there are ways of triangulating signals and the tree, especially if it’s going through the cable network, is, is a, is a predictable thing. You can spot well downstream from this point. There’s compromise in upstream. There isn’t, you can hone in on it pretty quickly.”

Let’s return to the Playboy channel hack. The first clue to catching the Playboy hacker was a clear motive. FCC investigators were immediately drawn to the Christian Broadcasting Network, CBN for short. That was hardly enough on its own, but it was something.

In total, they counted 370 antennas in the United States large enough to shoot a sufficiently strong signal to knock out the Playboy channel, and only 178 of those were capable of transmitting video signals.

The break in the case came when the FCC team examined the hacker’s message, and identified the type of character generator used to type it. It was a “K-50,” they said, a model developed by the company Knox Products. Of their 178 possible transmission stations, only six used a K-50. One of those six was CBN.

The final clue was even more obscure. Dr. Michael Marcus, an expert in signals analysis, described in court testimony how he figured out the exact kind of transmitter used to relay the attack. From court documents:

“Marcus [. . .] testified that the start of the interference episodes was marked by a period of “fuzziness” which lasted 1.67 seconds. He further testified that such a phenomenon was the result of the transmitter responsible for the interference operating for a certain period of time at low power and then shifting into a full-power mode. This step-up in power is a characteristic of Varian Gen-2 transmitters. Each transmitter has a particular time at which it steps up that varies somewhat from transmitter to transmitter, but each transmitter itself never varies by more than 1/100 of a second. The CBN ground station used a Varian Gen-2 transmitter and Marcus testified that the FCC tested this transmitter three times with resulting step-up measurements of 1.66, 1.67, and 1.68 seconds.”

Between the K-50, the Varian Gen-2 and the nature of the hacker’s message, it was clear that only the CBN television station at Virginia Beach could have launched such an attack. Thomas Haynie, an uplink engineer for CBN, was identified and later convicted, ordered to three years’ probation, community service and a modest fine.

If you want to catch a television hacker, the Haynie case proved how to do it.

The HBO satellite hack investigation began similarly. When the FBI and FCC teamed up to find the mysterious Captain Midnight they began with a list of 2,000 licensed transmitters around the United States. Of those, 580 uplink sites were large enough to broadcast a signal as strong as the one required to down HBO. By analyzing the typeface used in Captain Midnight’s message, and discounting all broadcast stations that weren’t operating on the day of the hack, investigators–including Dr. Marcus–narrowed their list to only a dozen possible locations from which the attack could’ve been leveraged. They visited each of the twelve stations, until they narrowed down a list of just three suspects.

They were closing in on their target when one day an ordinary man from Wisconsin, traveling on vacation, pulled over at a rest stop along Interstate 75 in Gainesville, Florida. While there, he happened to overhear a man talking on a pay phone. The man was large, with small brown eyes and receding blonde hair. This man was talking about having pulled off an incredible hack. When the man drove away, the tourist called the FCC to report their license plate.

Captain Midnight, who turned out to be a man named John MacDougall, had the advantage of being a lifelong professional in the industry, installing, selling and operating satellite dishes. He knew how satellites worked better than almost anyone, and as such, knew how they could be broken. He was taken down for a reason common to amateur hackers today–bragging–but even if he hadn’t blabbed, he would’ve gotten caught soon after, anyway.

THE INVESTIGATION

The Haynie and MacDougall cases present a pretty clear methodology of how to trace a television hacker. But, as with online hackers, television hackers can do a lot to hide the trail leading back to them. The suspiciously British alien Vrillon, for instance, was never caught. Perhaps British authorities were less intent on catching Vrillon. Or perhaps Vrillon escaped into hyperspace before they could be traced back.

The Max Headroom hacker employed no typed message whose characters could be used to identify the equipment they were working with. Their face was covered by a mask, and the background of the camera shot was covered up by a spinning slab of corrugated metal. Really, all investigators had to identify the perpetrator was that shiny, white butt.

Dr. Marcus was tasked with leading the investigation for the FCC. His team deduced that the hijack probably required equipment that might’ve only cost a few thousand dollars, and would probably have had to have been launched in the north of the city, nearer to the two channels’ broadcast antennas. The video was probably shot in some sort of warehouse, because the background appeared to be a typical warehouse door. Most obvious of all: the perpetrator had to be a highly technical person, probably someone with personal experience with broadcast television.

The team then received a tip–a strong one, pointing to a specific location in the Chicago metro area where the hijacker could have launched their attack. But there was no suspect, and they lacked probable cause to obtain a search warrant. The case against the Max Headroom hacker slowed down, as people moved on with their lives. In an interview with Vice Motherboard, Dr. Marcus summed up the problem. Quote: “Max Headroom wasn’t a danger to public safety, or to a multimillion piece of equipment. So the resources were a lot less.”

To this day we don’t know who was behind that mask. We don’t know exactly how they pulled off the hack, or exactly why they did it.

But the Max Headroom incident does raise an interesting question. Think about it this way: nowadays, according to various estimates, at least a few thousand websites are hacked every single day – from script kiddies defacing blogs to seasoned hackers breaking into online stores. The vast majority of these hacks are left unreported, and the ones that are are mostly forgotten a week later. Yet the Max Headroom hack – which happened more than 30 years ago and caused no financial damage whatsoever – still attracts our attention to this day, with many articles and discussions about the incident every year. What is it about this particular hack that captures our imagination, even after so many years?

Perhaps it has to do with the differences between the two media, and the nature of the people who hack them.

POLITICS

Here’s our Senior Producer, Nate Nelson:

“[Nate Nelson] Where computers are an active medium–you’re typing, you’re searching, whatever it may be–with T.V., once you get to the channel you want, you sit back and let it all happen to you. It’s passive, so any interruption has more effect. Even more than that, it’s because IT hacks occur frequently that we’re conditioned to expect them. Whereas television hacks are very rare.”

And there’s also the difference in the nature of the relationship each media has with centralized authority.

“[Nate Nelson] Computer hacks are often joined with political meaning, but television hacks, I would argue, are even more effective at relaying political messages because of the extra element of surprise. The reason why, of course, is because the medium is far more centralized, controlled, than the internet. So the Max Headroom hijack contained little overt messaging, but it was nonetheless a radical political act in how it threatened the authority we associate with television. It was really subversive.”

“[Sam Curry] I’m always reminded of the solidarity movement that having eyeballs and being able to control the message. You just look back at, at Poland in the cold war years, 30 minutes, gave Lech Walesa the the ability to lead a revolution in effect in Poland.”

The “Solidarity” movement he’s talking about was a trade union in Poland in the 1980s, which advocated for workers’ rights and social change, and played a major role in the end of communist rule in Poland.

In September of ‘85, four Polish astronomers, using only an ordinary computer, a synchronizing circuit and a transmitter, managed to superimpose pro-Solidarity messages over their country’s communist-run state television. “Enough price increases, lies, and repressions. Solidarity Toruń,” they wrote, “It is our duty to boycott the election.” It was an act of defiance. They painted Solidarity’s logo right on top of the screen.

And when given very small amount of broadcast capability through legitimate channels, even a relatively modest message under, under the domination of the Soviet union got people to take to the streets with banners and led to a real impact and changes in the former Polish East block regimes. So for me it was always a message of those who control the message can really dictate, and I think we know this very well today, but they can really dictate public opinion and almost the meme space that we all operate in.

The Solidarity incident proved how effective television hijacking can be in undermining authority. But the content of the message wasn’t the important part–it was that they managed to get it on live air in the first place.

THE HACKER

And speaking of protest, it’s interesting to see how the hack reflects on the personality and intentions of the hacker themselves.

As Dr. Michael Marcus – the expert who investigated the Max Headroom incident and others before it – noted in the testimonies he gave, the hacker probably has strong technical skills. Even back in the early 80’s, the public already encountered skilled hackers: these were the now famous ‘phreakers’, who hacked phone systems and made long-distance telephone calls in a time when such calls were prohibitively expensive. Looking back, we remember these phreakers with fondness. Some, like Steve Wozniak, are even viewed as a sort of ‘culture heros’. The Max Headroom hacker, however, is not remembered with the same fondness. Sure, we enjoy telling and re-telling the story of the incident, but the person behind the mask? They come out as a bit… creepy.

That’s partly because of the vulgarity of their acts in the recorded messages: the middle finger, the exposed buttocks, the spanking, etc. But I think there’s another reason. What Steve Wozniak and his friends did in the 70’s was just as illegal as what the Max Headroom hacker did – but their motives were different. Phreaking was partly about ‘sticking it to The Man’ – the phone companies who controlled the telephone system – but partly, and perhaps even mainly, about curiosity. For many phreakers, hacking phone systems was a journey of exploration: you never knew what exciting discoveries you were about to make in these vast global systems, who you could talk to on the other side of the world. Many of us can relate to that sense of curiosity. I remember how curious I was in the very early days of the internet. I used to just sit in front of the computer for hours, browsing random websites, hopping from one link to another – because you never knew what you’ll find behind the next link! It could be an online shop selling something exciting, or a website dedicated to some weird and wonderful hobby you’ve never heard of. In that sense, we can relate to Wozniak’s curiosity.

But the Max Headroom hack wasn’t about curiosity at all: there was nothing new and exciting to be discovered. It was all about sticking it to The Man – and while some of us might see this as a valid justification to the hijacking of the signal, it is overtly malicious. That is why, personally, I think the Max Headroom incident is a bit uncomfortable to watch.

CONSUMERISM

Lastly, there’s the difference between the TV and the web’s respective relationships with the culture of consumerism.

“[Nate Nelson] Television has a certain sheen to it that the internet lacks. Shows have to begin and end on the hour or half hour mark. You’ve got commercials, celebrities, it’s on 24/7, and you know what’s going to be on not only at 8:00 but also 8:00 next Thursday. It’s all very predictable, and comfortable. Comfort is key in T.V–it’s why so often we’re attracted to programming that doesn’t challenge us. Reality shows, opinion news, late night comedy. Doctor Who, a network news segment recapping a Chicago Bears game–these are the epitome of comfort. It’s like a warm hug from your dad. No matter what else is going on out there, if you can lay on your couch and flip on the Bears highlights, everything’s got to be okay.”

“[Sam Curry] But this kind of passivity–of buying into mass media culture, of being a mindless consumer–is exactly the kind of thing that Max Headroom the character, the show, is all about.”

In the future dystopia of The Max Headroom Show, large television corporations dominate society as oligarchs. In the midst of it all is Edison Carter: a tall, handsome and fictional reporter for “Network 23,” played by the actor Matt Frewer. Carter is notorious for hard-hitting scoops which often get him in trouble with his superiors, who’d prefer to keep important stories from public attention. In one such case he goes too far, and is forced to flee his office on a motorcycle. As he’s getting away, just before he crashes and falls into a coma, he looks up to see a warning sign hanging above a parking lot entrance. It reads: “MAX HEADROOM 2.3 meters.” In his catatonic state, Carter’s memories are uploaded to a digital, artificial intelligence program that takes on the name Max Headroom.

“[Nate Nelson] In the course of researching this story I came across a rather abstruse essay from an academic named Andrew Ross, which pointed me to a particularly interesting episode of The Max Headroom Show. Then I managed to find a rip of it on DailyMotion. Now, the show itself is pretty dated. But watching it felt like diving straight into the brain of this hacker.”

Season 2, Episode 1 of The Max Headroom show is about television broadcast hijacking. It opens with a woman watching a show called “Shop and Spree.” The hostess, drowned in makeup, is selling a diamond necklace with big, colorful graphics flashing on screen. The woman begins dialing the number on screen when she’s interrupted by Max Headroom.

“You know, this home shopping show is great,” he jokes, talking straight at her, “from start to finish it’s just sell, sell, sell.”

A moment later the signal goes haywire. Somebody’s interfering with the broadcast signal. This is serious stuff, in a world dominated by network television oligarchs. The penalty for such a crime is death.

An innocent man, Reg, is accused of having caused the interruption. He’s put on trial, but of course, the trial takes place on television, as a game show, where the judge is the host and the audience acts as the jury that will either find Reg innocent, or sentence him to death.

The prosecutor steps up to make his opening argument, on why a malicious broadcast intruder must be put to death. Quote:

“What we’re really talking about here is principle… what we’re talking is… the threat to television! …to our lives! We are talking about interrupting! If decent, honest, peaceful television-loving people cannot watch “Shop & Spree” without these savage attacks on their viewing freedom. Have to ask this question: Are we being too lenient? When our wives and daughters cannot shop from their own homes in peace, we must ask, Is consumerism itself under attack?”

It seems that the Max Headroom hacker themselves, whoever they were, had that consumerism in mind when they recorded their message. As I mentioned earlier, in the 2nd signal hijacking they are seen waving a can of Pepsi and saying ‘Catch the Wave.’ That’s not a random choice of words. Following the T.V series’ success, Max Headroom appeared in a series of Coca Cola advertisements, where he delivered the catch phrase ‘Catch the Wave’. A lot of fans of the show, including the creators of the character, felt betrayed at their favorite character selling out to corporate interests. The hacker is playing to that–they’re poking fun.

“[Sam Curry] So this was kind of like a counterculture. Like you are drinking from the the Soma. You’re, you are, you are, you are consuming what the, what you were supposed to as a good corporate citizen or sheep.”

EPILOGUE

So, to wrap things up – the Max Headroom signal hijack, although it was never solved, shines some light into the nature of hacks on various media. Sam Curry reminds us of a particularly smart saying that relates to what we’ve covered today.

“[Sam Curry] It was Marsh McLennan said the medium is the message, but in many ways controlling the medium is controlling the message.”

If there’s anything to be learned from the Max Headroom hack, it’s that the saying ‘The Medium is The Message’ is true not only when it comes to content. Hacking a television signal sends a very different message and says very different things about the hacker – than hacking a website of some other media. The medium you’re hacking, then, is part of the message you’re sending.