Brain Dead Security Unleashes Zombie Attack Hoax

People in Great Falls, Montana on 11 February were startled to hear the raucous tones on their radios and televisions of the nationwide Emergency Alert System followed by an alert telling them that the dead were rising from their graves and attacking the living.  Montana was having the first recorded Zombie Apocalypse in the US.

At around the same time broadcast stations in Michigan and New Mexico aired similar warnings. Stations in other western states, including California also received the warnings, but did not air them.

Zombies released by undead security

The first station to air the emergency alert messages was KRTV in Great Falls, which later posted a statement that they’d had their emergency alert computers hacked. The emergency messages went out because they arrive in pre-recorded form directly into the computers that control the emergency announcements at each station and normally the station personnel don’t have a way to interrupt that.

“We were hacked and we’re not proud of it,” Duane Ryan, Director of Programming at KENW, a public broadcasting station in Portales, New Mexico. Ryan said that the station had never changed the default user name and password from the manufacturer when they’d received their EAS computers. “We’ve changed them now,” he said.

This particular series of intrusions took place at individual stations that had not updated their user names and passwords, which meant that it was very easy for the hackers to insert the bogus message into the system. However, it wasn’t universal. Ryan said that his station uses the same EAS computers for both its radio and television station, but that only the television station was hacked.

The good news, if there is any, is that the national EAS network wasn’t affected. According to Dan Watson, a spokesman for the Federal Emergency Management Agency (FEMA), this was a localised event. “This appears to be a breach of security of a product used by some local broadcasters,” Watson said in an e-mail to eWEEK. “FEMA’s integrated public alert and warning system was not breached or compromised and this had no impact on FEMA’s ability to activate the Emergency Alert System to notify the American public. FEMA will continue to support the FCC and other federal agencies looking into the matter.”

The emergency alert systems that were affected are all connected by an Internet-based emergency communications network. Previously, emergency alert messages used a private landline network. A number of sources report that hackers have been using botnets to attempt to break into the emergency alert systems of broadcasting stations. The EAS system is normally used for weather emergencies, disasters and Amber alerts. It can also be used by the President to make a simultaneous announcement to everyone in the US.

By now anyone who regularly reads this column is likely aware that I’ve written about failures in securing the critical infrastructure of the US and the federal government’s seeming inability to do anything about it. While the EAS isn’t specifically part of the critical infrastructure, it’s still critically important. The EAS is in fact the only way available to send emergency alerts to people in entire regions or throughout the US. But that only works when the system retains its integrity and when people believe what it says.

While an emergency alert of a zombie attack is good for a few laughs and probably wasn’t taken seriously by most people, it’s still another step toward eroding the integrity of the EAS. While it didn’t originate from the part of the system controlled by the US Department of Homeland Security, but rather from individual stations, the people who hear the alerts don’t know that. To them it initially sounded like a real emergency.

Unfortunately, these problems are exacerbated by the fact that there are a lot of places where Internet connected computers are installed and maintained by people who are not IT professionals. These people, like the broadcast engineers who installed the EAS computers, really don’t know much about security nor do they understand how to protect the part of the national infrastructure with which they’re entrusted.

Clearly better training would be a help, but it’s not a quick solution. Perhaps a better idea might be to adopt a practice that Cisco has been following for some time now with its Internet facing consumer products — default user names and passwords that are not standardised. If you’ve installed a Linksys router in the last few years, you’ll have noticed that the SSID (Service Set Identification) and passwords are made up and in the case of passwords are not something you’d find in a dictionary. What’s more, every router is different.

Adopting such a process would cost manufacturers of Internet or public-facing equipment a little more because they’d have to revise their procedures. But it would add a lot of security to products that run in a world where people aren’t trained to be IT managers. The minor costs involved would be more than offset by not having to worry about reports of bogus zombie attacks.

Want more Tech Failures? Try our quiz!

Originally published on eWeek.