Known bugs could be to blame for zombie alert prank

Share this article:

When regular programming for four television stations was briefly interrupted Monday night by an emergency alert warning that there were "dead bodies rising," there's little doubt viewers in Montana and Michigan were surprised, if not frightened.

But had any researchers from security services company IOActive been watching, they probably would have let out a big yawn.

That's not to say the IOActive team is adept at handling zombies. Instead, their calmness would be due to the fact that they've known for some time that devices used to disseminate messages from the national Emergency Alert System (EAS) are vulnerable to compromise and, hence, pranks.

As it turned out, the approximately 30-second alert that reached viewers of three Michigan TV stations and one in Montana was a hoax. There were, in fact, no "dead bodies rising from the grave and attacking the living," as the message said. There was no need to heed the message's warning to "not attempt to approach or apprehend these bodies as they are extremely dangerous."

Cesar Cerrudo, the CTO of IOActive Labs, told SCMagazine.com in an email Wednesday that researchers at his firm contacted the U.S. Computer Emergency Readiness Team (US-CERT) about a month ago to report the bugs.

"The vulnerabilities allow attackers remote compromising of the devices and could let them broadcast EAS messages," he said. "Since these devices are widely used and we found some devices directly connected to the internet, we think that it's possible that hackers are currently exploiting some of these vulnerabilities."

Cerrudo would not name the devices or affected vendor, but he's hopeful the vulnerabilities will soon be fixed and not leveraged to cast warnings of incidents that might be more believable to a trusting and panicky public, such as a terrorist attack.

Cynthia Thompson, station manager at two of the affected stations – WBUP (ABC-10) and WBKP (CW-5), based in Marquette County, Mich. – confirmed the incidents were the work of hackers.

'It has been determined that a 'backdoor' attack allowed the hacker to access the security of the EAS equipment," she wrote in a Tuesday blog post.

A spokesman for the Federal Communications Commission, which regulates the EAS, could not be reached for comment. But the agency reportedly issued an advisory (PDF) to EAS participants, recommending they ensure their devices are protected.

UPDATE: An FCC spokeswoman referred SCMagazine.com to a representative for the Federal Emergency Management Agency (FEMA), who did not immediately respond.

Share this article:

Sign up to our newsletters

More in News

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.

Text message spammer settles charges filed by FTC

Text message spammer settles charges filed by FTC

Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

Rhode Island hospital to pay $150K for past data breach

More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.