When regular programming for four television stations was briefly interrupted Monday night by an emergency alert warning that there were "dead bodies rising," there's little doubt viewers in Montana and Michigan were surprised, if not frightened.
But had any researchers from security services company IOActive been watching, they probably would have let out a big yawn.
That's not to say the IOActive team is adept at handling zombies. Instead, their calmness would be due to the fact that they've known for some time that devices used to disseminate messages from the national Emergency Alert System (EAS) are vulnerable to compromise and, hence, pranks.
As it turned out, the approximately 30-second alert that reached viewers of three Michigan TV stations and one in Montana was a hoax. There were, in fact, no "dead bodies rising from the grave and attacking the living," as the message said. There was no need to heed the message's warning to "not attempt to approach or apprehend these bodies as they are extremely dangerous."
Cesar Cerrudo, the CTO of IOActive Labs, told SCMagazine.com in an email Wednesday that researchers at his firm contacted the U.S. Computer Emergency Readiness Team (US-CERT) about a month ago to report the bugs.
"The vulnerabilities allow attackers remote compromising of the devices and could let them broadcast EAS messages," he said. "Since these devices are widely used and we found some devices directly connected to the internet, we think that it's possible that hackers are currently exploiting some of these vulnerabilities."
Cerrudo would not name the devices or affected vendor, but he's hopeful the vulnerabilities will soon be fixed and not leveraged to cast warnings of incidents that might be more believable to a trusting and panicky public, such as a terrorist attack.
Cynthia Thompson, station manager at two of the affected stations – WBUP (ABC-10) and WBKP (CW-5), based in Marquette County, Mich. – confirmed the incidents were the work of hackers.
'It has been determined that a 'backdoor' attack allowed the hacker to access the security of the EAS equipment," she wrote in a Tuesday blog post.
A spokesman for the Federal Communications Commission, which regulates the EAS, could not be reached for comment. But the agency reportedly issued an advisory (PDF) to EAS participants, recommending they ensure their devices are protected.
UPDATE: An FCC spokeswoman referred SCMagazine.com to a representative for the Federal Emergency Management Agency (FEMA), who did not immediately respond.