Default password bug, not the rising dead, prompted emergency zombie alert

Share this article:
Security firm IOActive has come public with the vulnerabilities that caused the hoax.
Security firm IOActive has come public with the vulnerabilities that caused the hoax.

A security group has now gone public with the vulnerabilities in the national Emergency Alert System (EAS) that allowed hackers to pull a prank claiming there was a zombie outbreak.

Application security, compliance and smart grid security service provider IOActive, Inc. announced earlier this week that vulnerabilities in products made by Digital Alert Systems', a subsidiary of Monroe Electronics, allowed for the remote access that the jokers used to broadcast a scrolling message of a "zombie invasion" on four television stations in February.

IOActive's principal research scientist Mike Davis discovered that the root privileged SSH key for DASDEC-1 and DASDEC-II (digital emergency alerting and messaging technology made by Digital Alert Systems and used in the EAS) – and perhaps other Linux-based hardware too – had specifically been affected, allowing attackers to manipulate the system by logging in using the default password "Root" to a DASDEC device.

“This key allows an attacker to remotely log in over the internet and can manipulate any system function,” Davis said in a release. “For example, they could disrupt a station's ability to transmit and could disseminate false emergency information.”

Since then, updated firmware has been released that disables the compromised SSH key, provides a simplified user option to install new unique keys and enforces a new password policy, according to a recent US-CERT report.

That is precisely what happened in Michigan and Montana in February when viewers of four different stations were alerted of “dead bodies rising from the grave and attacking the living” and were warned to “not attempt to approach or apprehend these bodies as they are extremely dangerous.”

“Depending on the configuration of this and other devices,” the IOActive report says, “these messages could be forwarded to and mirrored by other DASDEC systems.”

In February, the station manager of affected Michigan stations WBUP (ABC-10) and WBKP (CW-5) confirmed the zombie alert incident was caused by hackers. At the time, IOActive CTO Cesar Cerrudo told SC Magazine he could not provide specifics, but that hackers exploited vulnerabilities in EAS.

The EAS is designed to alert United States citizens of national emergencies via broadcast, cable, and satellite communications and is jointly coordinated by the Federal Emergency Management Agency (FEMA), the Federal Communications Commission (FCC) and the National Weather Service (NWS).

It replaced the 34-year-old Emergency Broadcast System in 1997.

Share this article:

Sign up to our newsletters

More in News

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.