Feb 15, 2013 (09:02 AM EST)
Zombie Hackers Exploited Emergency Alert System Security Flaws
Read the Original Article at InformationWeek
"The bodies of the dead are rising from their graves and attacking the living," warned an Emergency Alert System (EAS) hoax alert broadcast Monday on KRTV in Great Falls, Mont. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."
But the real danger is arguably that the nation's emergency alert program, which includes television, radio, Internet and wireless alerts, is insecure. Indeed, after this week's hoax zombie warning, the Federal Communications Commission sent an "urgent advisory" to all television stations, requiring that they immediately change the passwords on all EAS-related equipment, ensure the devices are placed behind firewalls, and verify that hackers hadn't queued up any more bogus alerts, reported Reuters.
[ Remember this one? Read Royal Security Fail: 'May I Speak To Kate?' ]
"In this particular attack, it was just bad hygiene: passwords that weren't reset," said attorney James A. Barnett Jr., speaking by phone. From 2009 to 2012, he served as the chief of the Public Safety and Homeland Security Bureau for the FCC, where he proposed and conducted -- with the Federal Emergency Management Agency (FEMA) -- the first-ever nationwide test of the EAS.
The zombie alert hack was "a simple one," said Barnett, who's now a partner in the cybersecurity practice at law firm Venable. "This was a prank. But if something was done to try and panic the public -- or even worse, to interrupt communications during an actual emergency -- that's pretty serious."
"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," Karole White, president of the Michigan Association of Broadcasters, told Reuters. The same group of hackers, she said, this week also targeted EAS equipment at two stations in Michigan, as well as multiple stations in California, Montana and New Mexico.
According to Mike Davis, principal research scientist at security firm IOActive, many popular makes of emergency alert system ENDEC -- for encoder-decoder -- devices contain numerous exploitable vulnerabilities. Many of the devices are also publicly accessible via the Internet, and can be exploited via bugs in the firmware, without having to obtain or brute-force-guess any passwords.
Davis told Threatpost that with just a few hours' study of the firmware running on one popular ENDEC, which he declined to identify, he discovered multiple bugs, including one vulnerability that would have allowed him to remotely log into the device and insert a message of the type broadcast by KRTV.
"There is some really, really, terrible software on the other side of that box," Davis said. "There are some known issues like authentication bypasses and what I would call backdoors, although I don't know if they were meant that way." By Davis' count, as of Wednesday morning there were at least 30 exploitable ENDEC devices that were publicly accessible via the Internet and which could be remotely exploited by hackers.
"It's been known for a while that the Emergency Broadcasting System was set up without security," digital forensics consultant Jonathan Grier said via email. "The threat the U.S. had in mind was WWIII, not stateside hackers."
According to Venable's Barnett, the emergency alert devices "were developed over the last few decades, and while they're part of a network, it was before packet-switched and Internet concepts were even prevalent in our society, so some of the connections to other networks are now, you could say, bolted on."
Security researchers first discovered vulnerabilities in the EAS in 2002. In 2004, meanwhile, the FCC confirmed that "security and encryption were not the primary design criteria when EAS was developed and initially implemented," The Register reported.
"Now, however, emergency managers are becoming more aware of potential vulnerabilities within the system," said the FCC in 2004. "For example, the complete EAS protocol is a matter of public record and potentially subject to malicious activations or interference."
Given that 10 years have elapsed without a proper fix, arguably the FCC doesn't see EAS insecurities as representing a grave threat. "The response from the government was they didn't view this as a major concern: people instinctively cross-validate shocking news, so if one TV station reports, for example, a need for an emergency evacuation, it's unlikely to cause a panic -- people will cross-validate this before taking action," Grier said. "But it does make you think of Orson Welles."
Now, however, a stronger government response will be likely. "You can watch the Federal Communications Commission and FEMA to see what comes out," Barnett said. "I'm willing to bet that they'll have an investigation and report into this." He also recommended that the alerting industry rethink its approach to security. "They need to look at coming together and codifying some best practices to make sure that these types of things don't happen," he said.