Categories: SecurityWorkspace

Brain Dead Security Unleashes Zombie Attack Hoax

People in Great Falls, Montana on 11 February were startled to hear the raucous tones on their radios and televisions of the nationwide Emergency Alert System followed by an alert telling them that the dead were rising from their graves and attacking the living.  Montana was having the first recorded Zombie Apocalypse in the US.

At around the same time broadcast stations in Michigan and New Mexico aired similar warnings. Stations in other western states, including California also received the warnings, but did not air them.

Zombies released by undead security

The first station to air the emergency alert messages was KRTV in Great Falls, which later posted a statement that they’d had their emergency alert computers hacked. The emergency messages went out because they arrive in pre-recorded form directly into the computers that control the emergency announcements at each station and normally the station personnel don’t have a way to interrupt that.

“We were hacked and we’re not proud of it,” Duane Ryan, Director of Programming at KENW, a public broadcasting station in Portales, New Mexico. Ryan said that the station had never changed the default user name and password from the manufacturer when they’d received their EAS computers. “We’ve changed them now,” he said.

Ryan said that KENW follows a practice that many other broadcasting stations follow, and that is to tie their EAS alerts into other stations so that an alert from one is automatically picked up by the others. He said that the station is now making it possible for operators to intervene manually so that bogus alerts, zombie-related or not, can be killed before they’re broadcast.

This particular series of intrusions took place at individual stations that had not updated their user names and passwords, which meant that it was very easy for the hackers to insert the bogus message into the system. However, it wasn’t universal. Ryan said that his station uses the same EAS computers for both its radio and television station, but that only the television station was hacked.

The good news, if there is any, is that the national EAS network wasn’t affected. According to Dan Watson, a spokesman for the Federal Emergency Management Agency (FEMA), this was a localised event. “This appears to be a breach of security of a product used by some local broadcasters,” Watson said in an e-mail to eWEEK. “FEMA’s integrated public alert and warning system was not breached or compromised and this had no impact on FEMA’s ability to activate the Emergency Alert System to notify the American public. FEMA will continue to support the FCC and other federal agencies looking into the matter.”

The emergency alert systems that were affected are all connected by an Internet-based emergency communications network. Previously, emergency alert messages used a private landline network. A number of sources report that hackers have been using botnets to attempt to break into the emergency alert systems of broadcasting stations. The EAS system is normally used for weather emergencies, disasters and Amber alerts. It can also be used by the President to make a simultaneous announcement to everyone in the US.

By now anyone who regularly reads this column is likely aware that I’ve written about failures in securing the critical infrastructure of the US and the federal government’s seeming inability to do anything about it. While the EAS isn’t specifically part of the critical infrastructure, it’s still critically important. The EAS is in fact the only way available to send emergency alerts to people in entire regions or throughout the US. But that only works when the system retains its integrity and when people believe what it says.

While an emergency alert of a zombie attack is good for a few laughs and probably wasn’t taken seriously by most people, it’s still another step toward eroding the integrity of the EAS. While it didn’t originate from the part of the system controlled by the US Department of Homeland Security, but rather from individual stations, the people who hear the alerts don’t know that. To them it initially sounded like a real emergency.

Unfortunately, these problems are exacerbated by the fact that there are a lot of places where Internet connected computers are installed and maintained by people who are not IT professionals. These people, like the broadcast engineers who installed the EAS computers, really don’t know much about security nor do they understand how to protect the part of the national infrastructure with which they’re entrusted.

Clearly better training would be a help, but it’s not a quick solution. Perhaps a better idea might be to adopt a practice that Cisco has been following for some time now with its Internet facing consumer products — default user names and passwords that are not standardised. If you’ve installed a Linksys router in the last few years, you’ll have noticed that the SSID (Service Set Identification) and passwords are made up and in the case of passwords are not something you’d find in a dictionary. What’s more, every router is different.

Adopting such a process would cost manufacturers of Internet or public-facing equipment a little more because they’d have to revise their procedures. But it would add a lot of security to products that run in a world where people aren’t trained to be IT managers. The minor costs involved would be more than offset by not having to worry about reports of bogus zombie attacks.

Want more Tech Failures? Try our quiz!

Originally published on eWeek.

Wayne Rash

Wayne Rash is senior correspondent for eWEEK and a writer with 30 years of experience. His career includes IT work for the US Air Force.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago