Attacks/Breaches
2/15/2013
12:42 PM

Zombie Hackers Exploited Emergency Alert System Security Flaws

FCC has known about security gaps in networked alert systems equipment for more than 10 years. What if next hoax is serious?



Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
The next time zombies strike Montana, who's going to believe it?

"The bodies of the dead are rising from their graves and attacking the living," warned an Emergency Alert System (EAS) hoax alert broadcast Monday on KRTV in Great Falls, Mont. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."

But the real danger is arguably that the nation's emergency alert program, which includes television, radio, Internet and wireless alerts, is insecure. Indeed, after this week's hoax zombie warning, the Federal Communications Commission sent an "urgent advisory" to all television stations, requiring that they immediately change the passwords on all EAS-related equipment, ensure the devices are placed behind firewalls, and verify that hackers hadn't queued up any more bogus alerts, reported Reuters.

[ Remember this one? Read Royal Security Fail: 'May I Speak To Kate?' ]

"In this particular attack, it was just bad hygiene: passwords that weren't reset," said attorney James A. Barnett Jr., speaking by phone. From 2009 to 2012, he served as the chief of the Public Safety and Homeland Security Bureau for the FCC, where he proposed and conducted -- with the Federal Emergency Management Agency (FEMA) -- the first-ever nationwide test of the EAS.

The zombie alert hack was "a simple one," said Barnett, who's now a partner in the cybersecurity practice at law firm Venable. "This was a prank. But if something was done to try and panic the public -- or even worse, to interrupt communications during an actual emergency -- that's pretty serious."

"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," Karole White, president of the Michigan Association of Broadcasters, told Reuters. The same group of hackers, she said, this week also targeted EAS equipment at two stations in Michigan, as well as multiple stations in California, Montana and New Mexico.

According to Mike Davis, principal research scientist at security firm IOActive, many popular makes of emergency alert system ENDEC -- for encoder-decoder -- devices contain numerous exploitable vulnerabilities. Many of the devices are also publicly accessible via the Internet, and can be exploited via bugs in the firmware, without having to obtain or brute-force-guess any passwords.

Davis told Threatpost that with just a few hours' study of the firmware running on one popular ENDEC, which he declined to identify, he discovered multiple bugs, including one vulnerability that would have allowed him to remotely log into the device and insert a message of the type broadcast by KRTV.

"There is some really, really, terrible software on the other side of that box," Davis said. "There are some known issues like authentication bypasses and what I would call backdoors, although I don't know if they were meant that way." By Davis' count, as of Wednesday morning there were at least 30 exploitable ENDEC devices that were publicly accessible via the Internet and which could be remotely exploited by hackers.

"It's been known for a while that the Emergency Broadcasting System was set up without security," digital forensics consultant Jonathan Grier said via email. "The threat the U.S. had in mind was WWIII, not stateside hackers."

According to Venable's Barnett, the emergency alert devices "were developed over the last few decades, and while they're part of a network, it was before packet-switched and Internet concepts were even prevalent in our society, so some of the connections to other networks are now, you could say, bolted on."

Security researchers first discovered vulnerabilities in the EAS in 2002. In 2004, meanwhile, the FCC confirmed that "security and encryption were not the primary design criteria when EAS was developed and initially implemented," The Register reported.

"Now, however, emergency managers are becoming more aware of potential vulnerabilities within the system," said the FCC in 2004. "For example, the complete EAS protocol is a matter of public record and potentially subject to malicious activations or interference."

Given that 10 years have elapsed without a proper fix, arguably the FCC doesn't see EAS insecurities as representing a grave threat. "The response from the government was they didn't view this as a major concern: people instinctively cross-validate shocking news, so if one TV station reports, for example, a need for an emergency evacuation, it's unlikely to cause a panic -- people will cross-validate this before taking action," Grier said. "But it does make you think of Orson Welles."

Now, however, a stronger government response will be likely. "You can watch the Federal Communications Commission and FEMA to see what comes out," Barnett said. "I'm willing to bet that they'll have an investigation and report into this." He also recommended that the alerting industry rethink its approach to security. "They need to look at coming together and codifying some best practices to make sure that these types of things don't happen," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
2/19/2013 | 9:34:29 PM
re: Zombie Hackers Exploited Emergency Alert System Security Flaws
Thank goodness they were good hearted, albeit bored hooligans that meant no real harm. Imagine the panic if they had presented a more credible story to be transmitted? Or instead of the SuperBowl, the next power outage may be caused by a hack (or fully functioning "smart" control software) shutting down the circuit of the grid controlling Wall Street or the Chicago Merc ?
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/15/2013 | 9:33:33 PM
re: Zombie Hackers Exploited Emergency Alert System Security Flaws
It sounds like the pranksters basically provided a handy proof-of-concept that could help pressure some security fixes for the technology. All I could think of when I first heard this story was Orson Welles and the confusion over his "War of the Worlds" reading on the radio.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7178
Published: 2014-11-28
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.

CVE-2014-7850
Published: 2014-11-28
Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.

CVE-2014-8423
Published: 2014-11-28
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

CVE-2014-8424
Published: 2014-11-28
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

CVE-2014-8425
Published: 2014-11-28
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?