On a Sunday evening back in the fall of 1933, millions of radio listeners across the United States were thrown into a state of panic when they heard news alerts announcing the arrival of Martians on planet Earth. Many packed their cars with family members and possessions, fleeing into the countryside.
In fact what the radio audience heard was a portion of Orson Welles' adaptation of the well-known book, War of the Worlds by H. G. Wells. Many of the listeners believed what they heard on the radio was real because it was coming from a trusted source.
Eighty years later, residents of Great Falls, Montana, and Salt Lake City, Utah, experienced a variation on the Martian invasion theme, as the Emergency Alert System broadcast warnings of zombie attacks on Feb. 11 following what FEMA reported as hacks to the computer network through which these alerts flow. Other media stations in Michigan, California and New Mexico also broadcast warnings of the impending Zombie Apocalypse.
Standard EAS messages arrive pre-recorded and go directly into a station’s computer network system that controls emergency announcements. Unfortunately, for the stations that allowed the unfiltered news of attacking zombies to reach their respective listeners, it was a perfect storm of botched security practices. Normally, station personnel don’t or can’t interrupt EAS messages. Couple this with a lack of simple firewalls on station servers and failure to change factory default passwords on these same servers, hackers had an open door to chaos.
In 1997, the United States Emergency Alert System (EAS) replaced the older and better known Emergency Broadcast System (EBS) used to deliver local or national emergency information. The EAS is designed to "enable the President of the United States to speak to the United States within 10 minutes" after a disaster occurs. In the past, these alerts were passed from station-to-station using the Associated Press (AP) or United Press International (UPI) wire services, which connected to television and radio stations around the U.S. Whenever the station received an authenticated Emergency Action Notification (EAN), the station would manually disrupt its current broadcast to deliver the message to the public.
Today’s EAS process is simple for broadcasters. Application servers such as the DASDEC-I and DASDEC-II manufactured by Monroe Electronics/Digital Alert Systems in Lyndonville, N.Y., automatically interrupt regular programming broadcast by TV and radio stations and relay an emergency message, which is preceded and followed by alert tones. In addition to tampering with the delivery of legitimate emergency messages, attackers who use the SSH key (Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices) to log into vulnerable systems could make unauthorized changes to the server and glean potentially sensitive configure information that could lead to additional hacks.
For Ed Czarnecki Ph.D. the senior director for strategy, development & regulatory affairs for Monroe Electronics/Digital Alert Systems, makers of the compromised servers, addressing issues of zombie attacks was the last thing he thought he’d be doing in 2013.
"I never thought at my age I’d being chasing zombies," he quipped. "I hate to call the zombie incident a hack. It was a front door walk-through using a default password to compose and send out bogus alerts. Out of the thousands of devices that are out on the broadcast market there have been no reports of intrusions by customers who have the proper firewall protections in place."
Czarnecki said his company was notified in January by FEMA’s CERT officials of some potential vulnerability and began looking into it. He said they were extremely proactive, issuing a soft release of a software mitigation solution in March and a full solution in April.