Hackers hijack EAS system to warn of zombies, saving 3 people from watching 'The Steve Wilkos Show'
Posted by: Jon on 07/09/2013 12:35 PM [ Comments ]
One afternoon during the Steve Wilkos show the familiar, yet annoying, Emergency Alert System buzzer broke through to let viewers know that an important message was about to be aired, and on some other level saving anyone that might actually be watching the terrible show.
When the message finally came through, it was not to warn of severe weather, but was warning viewers that the zombie apocalypse was upon them. “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living,” the announcer said. “Follow the messages on-screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies, as they are extremely dangerous.”
As funny of prank as that may seem, Wired points out that several models of Emergency Alert System decoders, used to break into TV and radio broadcasts to announce public safety warnings, have vulnerabilities that would allow hackers to hijack them and deliver fake messages to the public.
A spokesman for IOActive said that his group released the announcement only after working with CERT to notify the vendors first and give them time to notify customers and work on fixes. The CERT advisory indicated that some fixes had already been made.
IOActive principal research scientist Mike Davis uncovered the vulnerabilities in the application servers of two digital alerting systems known as DASDEC-I and DASDEC-II. The servers are responsible for receiving and authenticating emergency alert messages.
“These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package,” Davis said in a statement. “This key allows an attacker to remotely log on in over the Internet and can manipulate any system function.”
Davis indicated that to resolve the issue would require “re-engineering” of the digital alerting system side as well as firmware updates pushed out to appliances in the field.
The vulnerabilities included a private root SSH key that was distributed in publicly available firmware images that would have allowed an attacker with SSH access to a device to log in with root privileges and issue fake alerts or disable the system.
Similar attacks also reportedly hit stations in Michigan, New Mexico, Utah and California. The hackers targeted local systems, however, not the national EAS network.
“We were hacked and we’re not proud of it,” Duane Ryan, director of programming at KENW, PBS station in Portales, New Mexico said after the attack, acknowledging that the station had never changed the manufacturer’s default user name and password on its EAS computers. “We’ve changed them now,” he said.
This particular breach happened earlier this year, but is getting new press as new vulnerabilities are found and identified.
Davis states that they will not be identifying the manufacturers of the vulnerable products because the bugs have not been fixed as of yet.
So before you go running out screaming to your neighbor that aliens have landed in Vero Beach, Florida, you might want to check with some 'reliable' news source to verify the legitimacy of the warning.
As funny of prank as that may seem, Wired points out that several models of Emergency Alert System decoders, used to break into TV and radio broadcasts to announce public safety warnings, have vulnerabilities that would allow hackers to hijack them and deliver fake messages to the public.
A spokesman for IOActive said that his group released the announcement only after working with CERT to notify the vendors first and give them time to notify customers and work on fixes. The CERT advisory indicated that some fixes had already been made.
IOActive principal research scientist Mike Davis uncovered the vulnerabilities in the application servers of two digital alerting systems known as DASDEC-I and DASDEC-II. The servers are responsible for receiving and authenticating emergency alert messages.
“These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package,” Davis said in a statement. “This key allows an attacker to remotely log on in over the Internet and can manipulate any system function.”
Davis indicated that to resolve the issue would require “re-engineering” of the digital alerting system side as well as firmware updates pushed out to appliances in the field.
The vulnerabilities included a private root SSH key that was distributed in publicly available firmware images that would have allowed an attacker with SSH access to a device to log in with root privileges and issue fake alerts or disable the system.
Similar attacks also reportedly hit stations in Michigan, New Mexico, Utah and California. The hackers targeted local systems, however, not the national EAS network.
“We were hacked and we’re not proud of it,” Duane Ryan, director of programming at KENW, PBS station in Portales, New Mexico said after the attack, acknowledging that the station had never changed the manufacturer’s default user name and password on its EAS computers. “We’ve changed them now,” he said.
This particular breach happened earlier this year, but is getting new press as new vulnerabilities are found and identified.
Davis states that they will not be identifying the manufacturers of the vulnerable products because the bugs have not been fixed as of yet.
So before you go running out screaming to your neighbor that aliens have landed in Vero Beach, Florida, you might want to check with some 'reliable' news source to verify the legitimacy of the warning.
Comments