Attacks/Breaches
2/15/2013
12:42 PM
50%
50%

Zombie Hackers Exploited Emergency Alert System Security Flaws

FCC has known about security gaps in networked alert systems equipment for more than 10 years. What if next hoax is serious?

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
The next time zombies strike Montana, who's going to believe it?

"The bodies of the dead are rising from their graves and attacking the living," warned an Emergency Alert System (EAS) hoax alert broadcast Monday on KRTV in Great Falls, Mont. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."

But the real danger is arguably that the nation's emergency alert program, which includes television, radio, Internet and wireless alerts, is insecure. Indeed, after this week's hoax zombie warning, the Federal Communications Commission sent an "urgent advisory" to all television stations, requiring that they immediately change the passwords on all EAS-related equipment, ensure the devices are placed behind firewalls, and verify that hackers hadn't queued up any more bogus alerts, reported Reuters.

[ Remember this one? Read Royal Security Fail: 'May I Speak To Kate?' ]

"In this particular attack, it was just bad hygiene: passwords that weren't reset," said attorney James A. Barnett Jr., speaking by phone. From 2009 to 2012, he served as the chief of the Public Safety and Homeland Security Bureau for the FCC, where he proposed and conducted -- with the Federal Emergency Management Agency (FEMA) -- the first-ever nationwide test of the EAS.

The zombie alert hack was "a simple one," said Barnett, who's now a partner in the cybersecurity practice at law firm Venable. "This was a prank. But if something was done to try and panic the public -- or even worse, to interrupt communications during an actual emergency -- that's pretty serious."

"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," Karole White, president of the Michigan Association of Broadcasters, told Reuters. The same group of hackers, she said, this week also targeted EAS equipment at two stations in Michigan, as well as multiple stations in California, Montana and New Mexico.

According to Mike Davis, principal research scientist at security firm IOActive, many popular makes of emergency alert system ENDEC -- for encoder-decoder -- devices contain numerous exploitable vulnerabilities. Many of the devices are also publicly accessible via the Internet, and can be exploited via bugs in the firmware, without having to obtain or brute-force-guess any passwords.

Davis told Threatpost that with just a few hours' study of the firmware running on one popular ENDEC, which he declined to identify, he discovered multiple bugs, including one vulnerability that would have allowed him to remotely log into the device and insert a message of the type broadcast by KRTV.

"There is some really, really, terrible software on the other side of that box," Davis said. "There are some known issues like authentication bypasses and what I would call backdoors, although I don't know if they were meant that way." By Davis' count, as of Wednesday morning there were at least 30 exploitable ENDEC devices that were publicly accessible via the Internet and which could be remotely exploited by hackers.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
2/19/2013 | 9:34:29 PM
re: Zombie Hackers Exploited Emergency Alert System Security Flaws
Thank goodness they were good hearted, albeit bored hooligans that meant no real harm. Imagine the panic if they had presented a more credible story to be transmitted? Or instead of the SuperBowl, the next power outage may be caused by a hack (or fully functioning "smart" control software) shutting down the circuit of the grid controlling Wall Street or the Chicago Merc ?
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/15/2013 | 9:33:33 PM
re: Zombie Hackers Exploited Emergency Alert System Security Flaws
It sounds like the pranksters basically provided a handy proof-of-concept that could help pressure some security fixes for the technology. All I could think of when I first heard this story was Orson Welles and the confusion over his "War of the Worlds" reading on the radio.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1449
Published: 2014-12-25
The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

CVE-2014-2217
Published: 2014-12-25
Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.

CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2014-7300
Published: 2014-12-25
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.