Vulnerabilities / Threats
7/9/2013
11:40 AM
50%
50%

'Zombie Apocalypse' Broadcast Hoax Explained

Homeland Security details vulnerabilities in emergency alert equipment that have been exploited to create hoax broadcasts.

"The bodies of the dead are rising from their graves and attacking the living," according to an Emergency Alert System (EAS) warning broadcast earlier this year on a CBS affiliate television station in Montana. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."

Of course, zombies weren't really attacking. Rather, a hacker had exploited unknown vulnerabilities in the EAS to broadcast the fake warning.

How the attacker managed that feat is no longer a mystery, after the Department of Homeland Security (DHS) issued a security alert that Digital Alert Systems DASDEC-I and DASDEC-II appliances, as well as the Monroe Electronics One-Net E189 Emergency Alert System, contain multiple vulnerabilities that could be exploited to provide remote access to and control of the EAS equipment.

What's the risk? "An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," according to a security advisory written by Mike Davis -- principal research scientist at information security service firm IOActive -- who discovered the vulnerabilities and reported them to DHS. "In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems," he said.

[ Want to know more about NSA's Prism data-gathering program? See NSA Dragnet Debacle: What It Means To IT. ]

The first vulnerability -- affecting EAS devices from Digital Alert Systems as well as its parent company, Monroe Electronics -- stems from the devices shipping with a firmware updater package that includes a copy of their default private root SSH key. Using the key, an attacker could gain remote access to the Linux-based EAS encoder/decoder (ENDEC) devices, and then broadcast fake emergency alerts over large geographic areas via digital and analog channels.

"The root privileged SSH key for the DASDEC-I and DASDEC-II appliances -- and potentially other Linux-based hardware provided by DAS -- is distributed as part of the DASDEC firmware," said Davis. "This key would allow an attacker to log in as 'root' over the Internet to a DASDEC device, and then manipulate any system function. This SSH key is publicly available and cannot be easily removed except by a root privileged user on the server, which is not provided by the DASDEC interface."

The second major vulnerability is that the devices ship with default passwords that provide full access. "Like many similar devices, the DASDEC and One-Net ENDECs use default administrative credentials," according to the DHS security alert. "Some sites fail to change the default administrative password and allow unrestricted Internet access" to the device -- meaning external access attempts aren't routed through a firewall. In such cases, attackers who know the administrative password could remotely log onto the devices unchallenged, and gain root privileges.

According to DHS, "devices exposed to the Internet are at particularly high risk," and have been previously exploited to broadcast hoax emergency alerts. Part of that risk stems from the ease with which Internet-connected devices that aren't safeguarded using firewalls and access controls can be found and identified using a search engine such as Shodan.

A third vulnerability involves the ease with which information logged by the devices can be remotely accessed. "All logged information on a DASDEC server can be accessed by an unauthenticated user," said Davis at IOActive. "Log access also allows an attacker to browse key directories, providing him with a wealth of information about the server, its administrators, its peering arrangement -- and basic login/logout information."

Monroe Electronics was informed of the vulnerabilities in January 2013, and released a related fix in April 2013 in the form of firmware v2.0-2. According to DHS, the latest firmware "disables the compromised SSH key, provides a simplified user option to install new unique keys, and enforces a new password policy."

Both the Monroe Electronics and Digital Alert Systems homepages include a prominent security recommendation that their EAS appliance customers update to the v2.0-2 firmware, "change the factory default password" and ensure that "all network connections are behind secure firewalls."

The DHS alert lauded Monroe for "[taking] considerable effort to provide update information to DASDEC and One-NetSE users" about the vulnerability and recommended fixes.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
7/10/2013 | 10:32:45 PM
re: 'Zombie Apocalypse' Broadcast Hoax Explained
With the CDC warning about zombies, it's perhaps not surprising some people may have been taken in.

http://blogs.cdc.gov/publichea...
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
7/10/2013 | 7:05:36 PM
re: 'Zombie Apocalypse' Broadcast Hoax Explained
Next, you'll try to tell me that "The Walking Dead" isn't a documentary.

Jim Donahue
Managing Editor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?