Zombie hack prompts major security concerns for Emergency Alert System
There's certainly danger to be found when local TV stations start broadcasting emergency zombie alerts. But the actual danger isn't from the walking dead.
Bogus Emergency Alert System messages at several TV stations in Michigan and Montana earlier this week have raised significant security concerns about the federal alert system, put in place to warn citizens of natural disasters and other emergencies.
"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," Michigan Association of Broadcasters President Karole White told Reuters.
On Monday, hackers broke into the EAS systems at ABC 10, CW 5 and Northern Michigan University's WNMU-TV 13 in Marquette, Mich. and CBS affiliate KRTV in Great Falls, Mont. Stations in California and New Mexico were also reportedly targeted. The hackers used their access to broadcast a warning that said in part, "the bodies of the dead are rising from their graves and are attacking the living."
The ABC/CW station in Marquette quickly disconnected the EAS system and corrected the information, according to station manager Cynthia Thompson. Thompson said the person responsible for the attack has been found, but that the station is still working with the federal agencies in charge of the EAS to find the system's vulnerabilities.
"Every effort will be made to work with other agencies to determine the hacker's access to the EAS equipment and to prevent any further intrusions," she said.
Although the zombie warning is relatively innocuous, if not humorous, it has the agencies responsible for the EAS—the Federal Communications Commission, the Federal Emergency Management Agency and the National Weather Service—on high alert. These agencies fear the prospect that the system could be used to send out a much more disruptive message or prevent a real alert message from getting through.
The EAS was established in the late '90s as a technological upgrade to the earlier Emergency Broadcast System. In theory, the system is designed so that the president of the United States could issue a message to the entire country within minutes, if needed. No president has ever activated the EAS or any of its technological predecessors nationally, but the system is regularly used for local and regional weather alerts.
The FCC sent out an urgent statement this week for stations to reset EAS passwords, many of which are suspected not to have been changed from their factory preset. The stations were also encouraged to wipe out any cued alerts that may have been prepared in the initially hacking event.
But weak passwords may not be the only issue at hand. The EAS is predicated on an infrastructure of encoding and decoding devices that each system participant station is responsible for maintaining. Earlier this month, technology security experts at IOActive Labs said loopholes in certain pieces of EAS hardware could make them susceptible to remote attacks.
IOActive researcher Mike Davis delivered a report to the Department of Homeland Security's U.S. Computer Emergency Readiness Team, or US-CERT, last month that outlined several major security concerns.
"Changing passwords is insufficient to prevent unauthorized remote login. There are still multiple undisclosed authentication bypasses," Davis said. "I would recommend disconnecting them from the network until a fix is available."
The EAS hack came a day before President Barack Obama signed an executive order to increase federal cybersecurity, raising the issue during his state of the union address.
"We know hackers steal people’s identities and infiltrate private email," Obama said during his speech. "We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
Photo by Alexandre Dulaunoy/Flickr