Known bugs could be to blame for zombie alert prank

Share this article:

When regular programming for four television stations was briefly interrupted Monday night by an emergency alert warning that there were "dead bodies rising," there's little doubt viewers in Montana and Michigan were surprised, if not frightened.

But had any researchers from security services company IOActive been watching, they probably would have let out a big yawn.

That's not to say the IOActive team is adept at handling zombies. Instead, their calmness would be due to the fact that they've known for some time that devices used to disseminate messages from the national Emergency Alert System (EAS) are vulnerable to compromise and, hence, pranks.

As it turned out, the approximately 30-second alert that reached viewers of three Michigan TV stations and one in Montana was a hoax. There were, in fact, no "dead bodies rising from the grave and attacking the living," as the message said. There was no need to heed the message's warning to "not attempt to approach or apprehend these bodies as they are extremely dangerous."

Cesar Cerrudo, the CTO of IOActive Labs, told in an email Wednesday that researchers at his firm contacted the U.S. Computer Emergency Readiness Team (US-CERT) about a month ago to report the bugs.

"The vulnerabilities allow attackers remote compromising of the devices and could let them broadcast EAS messages," he said. "Since these devices are widely used and we found some devices directly connected to the internet, we think that it's possible that hackers are currently exploiting some of these vulnerabilities."

Cerrudo would not name the devices or affected vendor, but he's hopeful the vulnerabilities will soon be fixed and not leveraged to cast warnings of incidents that might be more believable to a trusting and panicky public, such as a terrorist attack.

Cynthia Thompson, station manager at two of the affected stations – WBUP (ABC-10) and WBKP (CW-5), based in Marquette County, Mich. – confirmed the incidents were the work of hackers.

'It has been determined that a 'backdoor' attack allowed the hacker to access the security of the EAS equipment," she wrote in a Tuesday blog post.

A spokesman for the Federal Communications Commission, which regulates the EAS, could not be reached for comment. But the agency reportedly issued an advisory (PDF) to EAS participants, recommending they ensure their devices are protected.

UPDATE: An FCC spokeswoman referred to a representative for the Federal Emergency Management Agency (FEMA), who did not immediately respond.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.