Vulnerabilities / Threats
7/9/2013
11:40 AM
50%
50%

'Zombie Apocalypse' Broadcast Hoax Explained

Homeland Security details vulnerabilities in emergency alert equipment that have been exploited to create hoax broadcasts.

"The bodies of the dead are rising from their graves and attacking the living," according to an Emergency Alert System (EAS) warning broadcast earlier this year on a CBS affiliate television station in Montana. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."

Of course, zombies weren't really attacking. Rather, a hacker had exploited unknown vulnerabilities in the EAS to broadcast the fake warning.

How the attacker managed that feat is no longer a mystery, after the Department of Homeland Security (DHS) issued a security alert that Digital Alert Systems DASDEC-I and DASDEC-II appliances, as well as the Monroe Electronics One-Net E189 Emergency Alert System, contain multiple vulnerabilities that could be exploited to provide remote access to and control of the EAS equipment.

What's the risk? "An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," according to a security advisory written by Mike Davis -- principal research scientist at information security service firm IOActive -- who discovered the vulnerabilities and reported them to DHS. "In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems," he said.

[ Want to know more about NSA's Prism data-gathering program? See NSA Dragnet Debacle: What It Means To IT. ]

The first vulnerability -- affecting EAS devices from Digital Alert Systems as well as its parent company, Monroe Electronics -- stems from the devices shipping with a firmware updater package that includes a copy of their default private root SSH key. Using the key, an attacker could gain remote access to the Linux-based EAS encoder/decoder (ENDEC) devices, and then broadcast fake emergency alerts over large geographic areas via digital and analog channels.

"The root privileged SSH key for the DASDEC-I and DASDEC-II appliances -- and potentially other Linux-based hardware provided by DAS -- is distributed as part of the DASDEC firmware," said Davis. "This key would allow an attacker to log in as 'root' over the Internet to a DASDEC device, and then manipulate any system function. This SSH key is publicly available and cannot be easily removed except by a root privileged user on the server, which is not provided by the DASDEC interface."

The second major vulnerability is that the devices ship with default passwords that provide full access. "Like many similar devices, the DASDEC and One-Net ENDECs use default administrative credentials," according to the DHS security alert. "Some sites fail to change the default administrative password and allow unrestricted Internet access" to the device -- meaning external access attempts aren't routed through a firewall. In such cases, attackers who know the administrative password could remotely log onto the devices unchallenged, and gain root privileges.

According to DHS, "devices exposed to the Internet are at particularly high risk," and have been previously exploited to broadcast hoax emergency alerts. Part of that risk stems from the ease with which Internet-connected devices that aren't safeguarded using firewalls and access controls can be found and identified using a search engine such as Shodan.

A third vulnerability involves the ease with which information logged by the devices can be remotely accessed. "All logged information on a DASDEC server can be accessed by an unauthenticated user," said Davis at IOActive. "Log access also allows an attacker to browse key directories, providing him with a wealth of information about the server, its administrators, its peering arrangement -- and basic login/logout information."

Monroe Electronics was informed of the vulnerabilities in January 2013, and released a related fix in April 2013 in the form of firmware v2.0-2. According to DHS, the latest firmware "disables the compromised SSH key, provides a simplified user option to install new unique keys, and enforces a new password policy."

Both the Monroe Electronics and Digital Alert Systems homepages include a prominent security recommendation that their EAS appliance customers update to the v2.0-2 firmware, "change the factory default password" and ensure that "all network connections are behind secure firewalls."

The DHS alert lauded Monroe for "[taking] considerable effort to provide update information to DASDEC and One-NetSE users" about the vulnerability and recommended fixes.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
7/10/2013 | 10:32:45 PM
re: 'Zombie Apocalypse' Broadcast Hoax Explained
With the CDC warning about zombies, it's perhaps not surprising some people may have been taken in.

http://blogs.cdc.gov/publichea...
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
7/10/2013 | 7:05:36 PM
re: 'Zombie Apocalypse' Broadcast Hoax Explained
Next, you'll try to tell me that "The Walking Dead" isn't a documentary.

Jim Donahue
Managing Editor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.