Several models of Emergency Alert System decoders, used to break into TV and radio broadcasts to announce public safety warnings, have vulnerabilities that would allow hackers to hijack them and deliver fake messages to the public, according to an announcement by [IOActive,] a security firm on Monday.
Earlier this year hackers used default credentials to break into the Emergency Alert System at local TV station KRTV in Montana to interrupt programming with an alert about a zombie apocalypse.
During an afternoon broadcast of the Steve Wilkos talk show, a loud buzzer sounded and a banner ran across the top of the screen as an announcer’s voice warned viewers that the zombie apocalypse was upon them.
“Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living,” the announcer said. “Follow the messages on-screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies, as they are extremely dangerous.”
Similar attacks also reportedly hit stations in Michigan, New Mexico, Utah and California. The hackers targeted local systems, however, not the national EAS network.
“We were hacked and we’re not proud of it,” Duane Ryan, director of programming at KENW, PBS station in Portales, New Mexico said after the attack, acknowledging that the station had never changed the manufacturer’s default user name and password on its EAS computers. “We’ve changed them now,” he said.
IOActive's principal research scientist, Mike Davis, uncovered the vulnerabilities in the digital alerting systems - DASDEC - application servers. The DASDEC receives and authenticates EAS messages. Once a station receives and authenticates the message, the DASDEC interrupts the broadcast and overlays the message onto the broadcast with the alert tone containing some information about the event. The affected devices are the DASDEC-I and DASDEC-II appliances.
“Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,” said Mike Davis, principal research scientist for IOActive. “These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station's ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”
The EAS is designed to enable to the President of the United States to speak to US citizens within 10-minutes of a disaster occurring.