Default password bug, not the rising dead, prompted emergency zombie alert

Share this article:
Security firm IOActive has come public with the vulnerabilities that caused the hoax.
Security firm IOActive has come public with the vulnerabilities that caused the hoax.

A security group has now gone public with the vulnerabilities in the national Emergency Alert System (EAS) that allowed hackers to pull a prank claiming there was a zombie outbreak.

Application security, compliance and smart grid security service provider IOActive, Inc. announced earlier this week that vulnerabilities in products made by Digital Alert Systems', a subsidiary of Monroe Electronics, allowed for the remote access that the jokers used to broadcast a scrolling message of a "zombie invasion" on four television stations in February.

IOActive's principal research scientist Mike Davis discovered that the root privileged SSH key for DASDEC-1 and DASDEC-II (digital emergency alerting and messaging technology made by Digital Alert Systems and used in the EAS) – and perhaps other Linux-based hardware too – had specifically been affected, allowing attackers to manipulate the system by logging in using the default password "Root" to a DASDEC device.

“This key allows an attacker to remotely log in over the internet and can manipulate any system function,” Davis said in a release. “For example, they could disrupt a station's ability to transmit and could disseminate false emergency information.”

Since then, updated firmware has been released that disables the compromised SSH key, provides a simplified user option to install new unique keys and enforces a new password policy, according to a recent US-CERT report.

That is precisely what happened in Michigan and Montana in February when viewers of four different stations were alerted of “dead bodies rising from the grave and attacking the living” and were warned to “not attempt to approach or apprehend these bodies as they are extremely dangerous.”

“Depending on the configuration of this and other devices,” the IOActive report says, “these messages could be forwarded to and mirrored by other DASDEC systems.”

In February, the station manager of affected Michigan stations WBUP (ABC-10) and WBKP (CW-5) confirmed the zombie alert incident was caused by hackers. At the time, IOActive CTO Cesar Cerrudo told SC Magazine he could not provide specifics, but that hackers exploited vulnerabilities in EAS.

The EAS is designed to alert United States citizens of national emergencies via broadcast, cable, and satellite communications and is jointly coordinated by the Federal Emergency Management Agency (FEMA), the Federal Communications Commission (FCC) and the National Weather Service (NWS).

It replaced the 34-year-old Emergency Broadcast System in 1997.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.