Default password bug, not the rising dead, prompted emergency zombie alert

Share this article:
Security firm IOActive has come public with the vulnerabilities that caused the hoax.
Security firm IOActive has come public with the vulnerabilities that caused the hoax.

A security group has now gone public with the vulnerabilities in the national Emergency Alert System (EAS) that allowed hackers to pull a prank claiming there was a zombie outbreak.

Application security, compliance and smart grid security service provider IOActive, Inc. announced earlier this week that vulnerabilities in products made by Digital Alert Systems', a subsidiary of Monroe Electronics, allowed for the remote access that the jokers used to broadcast a scrolling message of a "zombie invasion" on four television stations in February.

IOActive's principal research scientist Mike Davis discovered that the root privileged SSH key for DASDEC-1 and DASDEC-II (digital emergency alerting and messaging technology made by Digital Alert Systems and used in the EAS) – and perhaps other Linux-based hardware too – had specifically been affected, allowing attackers to manipulate the system by logging in using the default password "Root" to a DASDEC device.

“This key allows an attacker to remotely log in over the internet and can manipulate any system function,” Davis said in a release. “For example, they could disrupt a station's ability to transmit and could disseminate false emergency information.”

Since then, updated firmware has been released that disables the compromised SSH key, provides a simplified user option to install new unique keys and enforces a new password policy, according to a recent US-CERT report.

That is precisely what happened in Michigan and Montana in February when viewers of four different stations were alerted of “dead bodies rising from the grave and attacking the living” and were warned to “not attempt to approach or apprehend these bodies as they are extremely dangerous.”

“Depending on the configuration of this and other devices,” the IOActive report says, “these messages could be forwarded to and mirrored by other DASDEC systems.”

In February, the station manager of affected Michigan stations WBUP (ABC-10) and WBKP (CW-5) confirmed the zombie alert incident was caused by hackers. At the time, IOActive CTO Cesar Cerrudo told SC Magazine he could not provide specifics, but that hackers exploited vulnerabilities in EAS.

The EAS is designed to alert United States citizens of national emergencies via broadcast, cable, and satellite communications and is jointly coordinated by the Federal Emergency Management Agency (FEMA), the Federal Communications Commission (FCC) and the National Weather Service (NWS).

It replaced the 34-year-old Emergency Broadcast System in 1997.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.