Default password bug, not the rising dead, prompted emergency zombie alert
Security firm IOActive has come public with the vulnerabilities that caused the hoax.
Application security, compliance and smart grid security service provider IOActive, Inc. announced earlier this week that vulnerabilities in products made by Digital Alert Systems', a subsidiary of Monroe Electronics, allowed for the remote access that the jokers used to broadcast a scrolling message of a "zombie invasion" on four television stations in February.
IOActive's principal research scientist Mike Davis discovered that the root privileged SSH key for DASDEC-1 and DASDEC-II (digital emergency alerting and messaging technology made by Digital Alert Systems and used in the EAS) – and perhaps other Linux-based hardware too – had specifically been affected, allowing attackers to manipulate the system by logging in using the default password "Root" to a DASDEC device.
“This key allows an attacker to remotely log in over the internet and can manipulate any system function,” Davis said in a release. “For example, they could disrupt a station's ability to transmit and could disseminate false emergency information.”
Since then, updated firmware has been released that disables the compromised SSH key, provides a simplified user option to install new unique keys and enforces a new password policy, according to a recent US-CERT report.
That is precisely what happened in Michigan and Montana in February when viewers of four different stations were alerted of “dead bodies rising from the grave and attacking the living” and were warned to “not attempt to approach or apprehend these bodies as they are extremely dangerous.”
“Depending on the configuration of this and other devices,” the IOActive report says, “these messages could be forwarded to and mirrored by other DASDEC systems.”
In February, the station manager of affected Michigan stations WBUP (ABC-10) and WBKP (CW-5) confirmed the zombie alert incident was caused by hackers. At the time, IOActive CTO Cesar Cerrudo told SC Magazine he could not provide specifics, but that hackers exploited vulnerabilities in EAS.
The EAS is designed to alert United States citizens of national emergencies via broadcast, cable, and satellite communications and is jointly coordinated by the Federal Emergency Management Agency (FEMA), the Federal Communications Commission (FCC) and the National Weather Service (NWS).
It replaced the 34-year-old Emergency Broadcast System in 1997.