Attacks/Breaches
2/15/2013
12:42 PM
50%
50%

Zombie Hackers Exploited Emergency Alert System Security Flaws

FCC has known about security gaps in networked alert systems equipment for more than 10 years. What if next hoax is serious?

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
The next time zombies strike Montana, who's going to believe it?

"The bodies of the dead are rising from their graves and attacking the living," warned an Emergency Alert System (EAS) hoax alert broadcast Monday on KRTV in Great Falls, Mont. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."

But the real danger is arguably that the nation's emergency alert program, which includes television, radio, Internet and wireless alerts, is insecure. Indeed, after this week's hoax zombie warning, the Federal Communications Commission sent an "urgent advisory" to all television stations, requiring that they immediately change the passwords on all EAS-related equipment, ensure the devices are placed behind firewalls, and verify that hackers hadn't queued up any more bogus alerts, reported Reuters.

[ Remember this one? Read Royal Security Fail: 'May I Speak To Kate?' ]

"In this particular attack, it was just bad hygiene: passwords that weren't reset," said attorney James A. Barnett Jr., speaking by phone. From 2009 to 2012, he served as the chief of the Public Safety and Homeland Security Bureau for the FCC, where he proposed and conducted -- with the Federal Emergency Management Agency (FEMA) -- the first-ever nationwide test of the EAS.

The zombie alert hack was "a simple one," said Barnett, who's now a partner in the cybersecurity practice at law firm Venable. "This was a prank. But if something was done to try and panic the public -- or even worse, to interrupt communications during an actual emergency -- that's pretty serious."

"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," Karole White, president of the Michigan Association of Broadcasters, told Reuters. The same group of hackers, she said, this week also targeted EAS equipment at two stations in Michigan, as well as multiple stations in California, Montana and New Mexico.

According to Mike Davis, principal research scientist at security firm IOActive, many popular makes of emergency alert system ENDEC -- for encoder-decoder -- devices contain numerous exploitable vulnerabilities. Many of the devices are also publicly accessible via the Internet, and can be exploited via bugs in the firmware, without having to obtain or brute-force-guess any passwords.

Davis told Threatpost that with just a few hours' study of the firmware running on one popular ENDEC, which he declined to identify, he discovered multiple bugs, including one vulnerability that would have allowed him to remotely log into the device and insert a message of the type broadcast by KRTV.

"There is some really, really, terrible software on the other side of that box," Davis said. "There are some known issues like authentication bypasses and what I would call backdoors, although I don't know if they were meant that way." By Davis' count, as of Wednesday morning there were at least 30 exploitable ENDEC devices that were publicly accessible via the Internet and which could be remotely exploited by hackers.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
2/19/2013 | 9:34:29 PM
re: Zombie Hackers Exploited Emergency Alert System Security Flaws
Thank goodness they were good hearted, albeit bored hooligans that meant no real harm. Imagine the panic if they had presented a more credible story to be transmitted? Or instead of the SuperBowl, the next power outage may be caused by a hack (or fully functioning "smart" control software) shutting down the circuit of the grid controlling Wall Street or the Chicago Merc ?
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/15/2013 | 9:33:33 PM
re: Zombie Hackers Exploited Emergency Alert System Security Flaws
It sounds like the pranksters basically provided a handy proof-of-concept that could help pressure some security fixes for the technology. All I could think of when I first heard this story was Orson Welles and the confusion over his "War of the Worlds" reading on the radio.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3966
Published: 2015-08-30
The IPsec SA establishment process on Innominate mGuard devices with firmware 8.x before 8.1.7 allows remote authenticated users to cause a denial of service (VPN service restart) by leveraging a peer relationship to send a crafted configuration with compression.

CVE-2015-4555
Published: 2015-08-30
Buffer overflow in the HTTP administrative interface in TIBCO Rendezvous before 8.4.4, Rendezvous Network Server before 1.1.1, Substation ES before 2.9.0, and Messaging Appliance before 8.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vect...

CVE-2015-5698
Published: 2015-08-30
Cross-site request forgery (CSRF) vulnerability in the web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2015-4497
Published: 2015-08-29
Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token...

CVE-2015-4498
Published: 2015-08-29
The add-on installation feature in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to bypass an intended user-confirmation requirement by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain early point i...

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.