Zombie Hackers Exploited Emergency Alert System Security FlawsFCC has known about security gaps in networked alert systems equipment for more than 10 years. What if next hoax is serious?
"The bodies of the dead are rising from their graves and attacking the living," warned an Emergency Alert System (EAS) hoax alert broadcast Monday on KRTV in Great Falls, Mont. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."
- The Untapped Potential of Mobile Apps for Commercial Customers
- Get Actionable Insight with Security Intelligence for Mainframe Environments
White PapersMore >>
But the real danger is arguably that the nation's emergency alert program, which includes television, radio, Internet and wireless alerts, is insecure. Indeed, after this week's hoax zombie warning, the Federal Communications Commission sent an "urgent advisory" to all television stations, requiring that they immediately change the passwords on all EAS-related equipment, ensure the devices are placed behind firewalls, and verify that hackers hadn't queued up any more bogus alerts, reported Reuters.
[ Remember this one? Read Royal Security Fail: 'May I Speak To Kate?' ]
"In this particular attack, it was just bad hygiene: passwords that weren't reset," said attorney James A. Barnett Jr., speaking by phone. From 2009 to 2012, he served as the chief of the Public Safety and Homeland Security Bureau for the FCC, where he proposed and conducted -- with the Federal Emergency Management Agency (FEMA) -- the first-ever nationwide test of the EAS.
The zombie alert hack was "a simple one," said Barnett, who's now a partner in the cybersecurity practice at law firm Venable. "This was a prank. But if something was done to try and panic the public -- or even worse, to interrupt communications during an actual emergency -- that's pretty serious."
"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," Karole White, president of the Michigan Association of Broadcasters, told Reuters. The same group of hackers, she said, this week also targeted EAS equipment at two stations in Michigan, as well as multiple stations in California, Montana and New Mexico.
According to Mike Davis, principal research scientist at security firm IOActive, many popular makes of emergency alert system ENDEC -- for encoder-decoder -- devices contain numerous exploitable vulnerabilities. Many of the devices are also publicly accessible via the Internet, and can be exploited via bugs in the firmware, without having to obtain or brute-force-guess any passwords.
Davis told Threatpost that with just a few hours' study of the firmware running on one popular ENDEC, which he declined to identify, he discovered multiple bugs, including one vulnerability that would have allowed him to remotely log into the device and insert a message of the type broadcast by KRTV.
"There is some really, really, terrible software on the other side of that box," Davis said. "There are some known issues like authentication bypasses and what I would call backdoors, although I don't know if they were meant that way." By Davis' count, as of Wednesday morning there were at least 30 exploitable ENDEC devices that were publicly accessible via the Internet and which could be remotely exploited by hackers.