Vulnerabilities / Threats
7/9/2013
11:40 AM
50%
50%

'Zombie Apocalypse' Broadcast Hoax Explained

Homeland Security details vulnerabilities in emergency alert equipment that have been exploited to create hoax broadcasts.

"The bodies of the dead are rising from their graves and attacking the living," according to an Emergency Alert System (EAS) warning broadcast earlier this year on a CBS affiliate television station in Montana. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."

Of course, zombies weren't really attacking. Rather, a hacker had exploited unknown vulnerabilities in the EAS to broadcast the fake warning.

How the attacker managed that feat is no longer a mystery, after the Department of Homeland Security (DHS) issued a security alert that Digital Alert Systems DASDEC-I and DASDEC-II appliances, as well as the Monroe Electronics One-Net E189 Emergency Alert System, contain multiple vulnerabilities that could be exploited to provide remote access to and control of the EAS equipment.

What's the risk? "An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," according to a security advisory written by Mike Davis -- principal research scientist at information security service firm IOActive -- who discovered the vulnerabilities and reported them to DHS. "In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems," he said.

[ Want to know more about NSA's Prism data-gathering program? See NSA Dragnet Debacle: What It Means To IT. ]

The first vulnerability -- affecting EAS devices from Digital Alert Systems as well as its parent company, Monroe Electronics -- stems from the devices shipping with a firmware updater package that includes a copy of their default private root SSH key. Using the key, an attacker could gain remote access to the Linux-based EAS encoder/decoder (ENDEC) devices, and then broadcast fake emergency alerts over large geographic areas via digital and analog channels.

"The root privileged SSH key for the DASDEC-I and DASDEC-II appliances -- and potentially other Linux-based hardware provided by DAS -- is distributed as part of the DASDEC firmware," said Davis. "This key would allow an attacker to log in as 'root' over the Internet to a DASDEC device, and then manipulate any system function. This SSH key is publicly available and cannot be easily removed except by a root privileged user on the server, which is not provided by the DASDEC interface."

The second major vulnerability is that the devices ship with default passwords that provide full access. "Like many similar devices, the DASDEC and One-Net ENDECs use default administrative credentials," according to the DHS security alert. "Some sites fail to change the default administrative password and allow unrestricted Internet access" to the device -- meaning external access attempts aren't routed through a firewall. In such cases, attackers who know the administrative password could remotely log onto the devices unchallenged, and gain root privileges.

According to DHS, "devices exposed to the Internet are at particularly high risk," and have been previously exploited to broadcast hoax emergency alerts. Part of that risk stems from the ease with which Internet-connected devices that aren't safeguarded using firewalls and access controls can be found and identified using a search engine such as Shodan.

A third vulnerability involves the ease with which information logged by the devices can be remotely accessed. "All logged information on a DASDEC server can be accessed by an unauthenticated user," said Davis at IOActive. "Log access also allows an attacker to browse key directories, providing him with a wealth of information about the server, its administrators, its peering arrangement -- and basic login/logout information."

Monroe Electronics was informed of the vulnerabilities in January 2013, and released a related fix in April 2013 in the form of firmware v2.0-2. According to DHS, the latest firmware "disables the compromised SSH key, provides a simplified user option to install new unique keys, and enforces a new password policy."

Both the Monroe Electronics and Digital Alert Systems homepages include a prominent security recommendation that their EAS appliance customers update to the v2.0-2 firmware, "change the factory default password" and ensure that "all network connections are behind secure firewalls."

The DHS alert lauded Monroe for "[taking] considerable effort to provide update information to DASDEC and One-NetSE users" about the vulnerability and recommended fixes.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
7/10/2013 | 10:32:45 PM
re: 'Zombie Apocalypse' Broadcast Hoax Explained
With the CDC warning about zombies, it's perhaps not surprising some people may have been taken in.

http://blogs.cdc.gov/publichea...
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
7/10/2013 | 7:05:36 PM
re: 'Zombie Apocalypse' Broadcast Hoax Explained
Next, you'll try to tell me that "The Walking Dead" isn't a documentary.

Jim Donahue
Managing Editor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.