Earlier this year, the Emergency Alert System interrupted regular programming to warn the US citizens of Montana that the zombie apocalypse was upon us.
A loud buzzer went off, and a banner ran across the top of the screen, as an announcer at local TV station KRTV said it would be best not to approach the living dead:
"Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living.
"Follow the messages on-screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies, as they are extremely dangerous."
This was not true. This was a hack.
While the origin of KRTV’s hack hasn’t yet been confirmed, similar hacks are enabled by an extremely vulnerable legacy system, security services firm IOActive announced on Monday.
The vulnerabilities are in the Emergency Alerting System (EAS), widely used by US TV and radio stations.
IOActive principal research scientist Mike Davis uncovered the vulnerabilities in the application servers of two digital alerting systems, known as DASDEC-I and DASDEC-II, that receive and authenticate emergency alert messages.
The EAS is set up so that the US president can address citizens within 10 minutes of a disaster. In the past, the alerts were passed from station to station using the Associated Press (AP) or United Press International (UPI) wire services that connected to TV and radio stations.
Whenever the station received an authenticated Emergency Action Notification (EAN), the station would interrupt its broadcast to deliver the emergency alert message.
In 1997, that system – Emergency Broadcast System (EBS) – was replaced by the United States Emergency Alert System (EAS).
As IOActive explains in a security advisory [PDF], DASDEC is one of a small number of application servers now used to deliver emergency messages to television and radio stations.
After messages are received and authenticated, the DASDEC server interrupts regular broadcasts to relay the message onto the broadcast, preceded and followed by alert tones that include information about the event.
The Cyber Emergency Response Team (CERT) on 26 June issued an advisory detailing the vulnerabilities in the systems, the most severe of which is the public disclosure of the default private root SSH key.
An attacker with SSH access to such a device could use the key to log in with root privileges, CERT said.
CERT said that the devices in question – the DASDEC and One-Net ENDECs – use default administrative credentials that some stations never bother to change, thereby allowing unrestricted internet access.
IOActive says that an attacker who manages to take over one or more DASDEC systems could disrupt these stations’ ability to transmit and could disseminate bogus emergency alerts over a large geographic area.
In addition, the phony messages, depending on configuration, could be forwarded to and mirrored by other DASDEC systems.
Attacks similar to the zombie apocalypse have hit stations in Michigan, New Mexico, Utah and California, according to Wired, although the hackers in these incidents targeted local systems rather than the national EAS network.
Duane Ryan, director of programming at a station in New Mexico, admitted to Wired that it was only after the station got hacked that its staff changed the default password:
"We were hacked and we're not proud of it... We've changed them now."
A spokesman for IOActive said that they released the advisory only after working with CERT to notify the vendors first and give them time to notify customers and work on fixes.
CERT said in its advisory that some vendors already have patches out: Monroe Electronics and Digital Alert Systems. They should be applied immediately to critical devices, CERT says.
CERT also lists instructions on how to handle the flaws, including how to manually inspect SSH keys.
The updates from these two vendors not only fix the compromised SSH key but also enforce a new password policy.
That’s a good thing. Hopefully, other vendors will follow suit and re-engineer their firmware to make unchanged, default passwords a thing of the past.
It’s too easy to be passively zombie-like when it comes to letting them hang around in systems.