Vulnerabilities / Threats
11:40 AM

'Zombie Apocalypse' Broadcast Hoax Explained

Homeland Security details vulnerabilities in emergency alert equipment that have been exploited to create hoax broadcasts.

"The bodies of the dead are rising from their graves and attacking the living," according to an Emergency Alert System (EAS) warning broadcast earlier this year on a CBS affiliate television station in Montana. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."

Of course, zombies weren't really attacking. Rather, a hacker had exploited unknown vulnerabilities in the EAS to broadcast the fake warning.

How the attacker managed that feat is no longer a mystery, after the Department of Homeland Security (DHS) issued a security alert that Digital Alert Systems DASDEC-I and DASDEC-II appliances, as well as the Monroe Electronics One-Net E189 Emergency Alert System, contain multiple vulnerabilities that could be exploited to provide remote access to and control of the EAS equipment.

What's the risk? "An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," according to a security advisory written by Mike Davis -- principal research scientist at information security service firm IOActive -- who discovered the vulnerabilities and reported them to DHS. "In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems," he said.

[ Want to know more about NSA's Prism data-gathering program? See NSA Dragnet Debacle: What It Means To IT. ]

The first vulnerability -- affecting EAS devices from Digital Alert Systems as well as its parent company, Monroe Electronics -- stems from the devices shipping with a firmware updater package that includes a copy of their default private root SSH key. Using the key, an attacker could gain remote access to the Linux-based EAS encoder/decoder (ENDEC) devices, and then broadcast fake emergency alerts over large geographic areas via digital and analog channels.

"The root privileged SSH key for the DASDEC-I and DASDEC-II appliances -- and potentially other Linux-based hardware provided by DAS -- is distributed as part of the DASDEC firmware," said Davis. "This key would allow an attacker to log in as 'root' over the Internet to a DASDEC device, and then manipulate any system function. This SSH key is publicly available and cannot be easily removed except by a root privileged user on the server, which is not provided by the DASDEC interface."

The second major vulnerability is that the devices ship with default passwords that provide full access. "Like many similar devices, the DASDEC and One-Net ENDECs use default administrative credentials," according to the DHS security alert. "Some sites fail to change the default administrative password and allow unrestricted Internet access" to the device -- meaning external access attempts aren't routed through a firewall. In such cases, attackers who know the administrative password could remotely log onto the devices unchallenged, and gain root privileges.

According to DHS, "devices exposed to the Internet are at particularly high risk," and have been previously exploited to broadcast hoax emergency alerts. Part of that risk stems from the ease with which Internet-connected devices that aren't safeguarded using firewalls and access controls can be found and identified using a search engine such as Shodan.

A third vulnerability involves the ease with which information logged by the devices can be remotely accessed. "All logged information on a DASDEC server can be accessed by an unauthenticated user," said Davis at IOActive. "Log access also allows an attacker to browse key directories, providing him with a wealth of information about the server, its administrators, its peering arrangement -- and basic login/logout information."

Monroe Electronics was informed of the vulnerabilities in January 2013, and released a related fix in April 2013 in the form of firmware v2.0-2. According to DHS, the latest firmware "disables the compromised SSH key, provides a simplified user option to install new unique keys, and enforces a new password policy."

Both the Monroe Electronics and Digital Alert Systems homepages include a prominent security recommendation that their EAS appliance customers update to the v2.0-2 firmware, "change the factory default password" and ensure that "all network connections are behind secure firewalls."

The DHS alert lauded Monroe for "[taking] considerable effort to provide update information to DASDEC and One-NetSE users" about the vulnerability and recommended fixes.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
7/10/2013 | 10:32:45 PM
re: 'Zombie Apocalypse' Broadcast Hoax Explained
With the CDC warning about zombies, it's perhaps not surprising some people may have been taken in.
User Rank: Apprentice
7/10/2013 | 7:05:36 PM
re: 'Zombie Apocalypse' Broadcast Hoax Explained
Next, you'll try to tell me that "The Walking Dead" isn't a documentary.

Jim Donahue
Managing Editor
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio