Vulnerabilities / Threats
7/9/2013
11:40 AM
50%
50%

'Zombie Apocalypse' Broadcast Hoax Explained

Homeland Security details vulnerabilities in emergency alert equipment that have been exploited to create hoax broadcasts.

"The bodies of the dead are rising from their graves and attacking the living," according to an Emergency Alert System (EAS) warning broadcast earlier this year on a CBS affiliate television station in Montana. "Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."

Of course, zombies weren't really attacking. Rather, a hacker had exploited unknown vulnerabilities in the EAS to broadcast the fake warning.

How the attacker managed that feat is no longer a mystery, after the Department of Homeland Security (DHS) issued a security alert that Digital Alert Systems DASDEC-I and DASDEC-II appliances, as well as the Monroe Electronics One-Net E189 Emergency Alert System, contain multiple vulnerabilities that could be exploited to provide remote access to and control of the EAS equipment.

What's the risk? "An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," according to a security advisory written by Mike Davis -- principal research scientist at information security service firm IOActive -- who discovered the vulnerabilities and reported them to DHS. "In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems," he said.

[ Want to know more about NSA's Prism data-gathering program? See NSA Dragnet Debacle: What It Means To IT. ]

The first vulnerability -- affecting EAS devices from Digital Alert Systems as well as its parent company, Monroe Electronics -- stems from the devices shipping with a firmware updater package that includes a copy of their default private root SSH key. Using the key, an attacker could gain remote access to the Linux-based EAS encoder/decoder (ENDEC) devices, and then broadcast fake emergency alerts over large geographic areas via digital and analog channels.

"The root privileged SSH key for the DASDEC-I and DASDEC-II appliances -- and potentially other Linux-based hardware provided by DAS -- is distributed as part of the DASDEC firmware," said Davis. "This key would allow an attacker to log in as 'root' over the Internet to a DASDEC device, and then manipulate any system function. This SSH key is publicly available and cannot be easily removed except by a root privileged user on the server, which is not provided by the DASDEC interface."

The second major vulnerability is that the devices ship with default passwords that provide full access. "Like many similar devices, the DASDEC and One-Net ENDECs use default administrative credentials," according to the DHS security alert. "Some sites fail to change the default administrative password and allow unrestricted Internet access" to the device -- meaning external access attempts aren't routed through a firewall. In such cases, attackers who know the administrative password could remotely log onto the devices unchallenged, and gain root privileges.

According to DHS, "devices exposed to the Internet are at particularly high risk," and have been previously exploited to broadcast hoax emergency alerts. Part of that risk stems from the ease with which Internet-connected devices that aren't safeguarded using firewalls and access controls can be found and identified using a search engine such as Shodan.

A third vulnerability involves the ease with which information logged by the devices can be remotely accessed. "All logged information on a DASDEC server can be accessed by an unauthenticated user," said Davis at IOActive. "Log access also allows an attacker to browse key directories, providing him with a wealth of information about the server, its administrators, its peering arrangement -- and basic login/logout information."

Monroe Electronics was informed of the vulnerabilities in January 2013, and released a related fix in April 2013 in the form of firmware v2.0-2. According to DHS, the latest firmware "disables the compromised SSH key, provides a simplified user option to install new unique keys, and enforces a new password policy."

Both the Monroe Electronics and Digital Alert Systems homepages include a prominent security recommendation that their EAS appliance customers update to the v2.0-2 firmware, "change the factory default password" and ensure that "all network connections are behind secure firewalls."

The DHS alert lauded Monroe for "[taking] considerable effort to provide update information to DASDEC and One-NetSE users" about the vulnerability and recommended fixes.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
7/10/2013 | 10:32:45 PM
re: 'Zombie Apocalypse' Broadcast Hoax Explained
With the CDC warning about zombies, it's perhaps not surprising some people may have been taken in.

http://blogs.cdc.gov/publichea...
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
7/10/2013 | 7:05:36 PM
re: 'Zombie Apocalypse' Broadcast Hoax Explained
Next, you'll try to tell me that "The Walking Dead" isn't a documentary.

Jim Donahue
Managing Editor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.