Poor password security paved the way for hackers to broadcast a bogus warning on television networks, saying that the United States was under attack by zombies, broadcasters said.
Cyber security experts said the equipment the hackers broke into remained vulnerable to further breaches, and that hackers could potentially take control of the equipment to prevent the government from sending out public warnings during an emergency.
Following the attacks Monday on a handful of TV stations, the government ordered broadcasters to change the passwords for the equipment that authorities use to instantly transmit emergency broadcasts through what is known as the Emergency Alert System, or EAS.
The Federal Communications Commission (FCC) would not comment on the attacks, but in an urgent advisory sent to TV stations on Tuesday, the agency said: “All EAS participants are required to take immediate action.”
It instructed them to change passwords on equipment from all manufacturers used to deliver emergency broadcasts to TV networks, interrupting regular programming. The FCC instructed them to ensure that gear was properly secured behind firewalls and to inspect their systems to ensure that hackers had not queued “unauthorized alerts” for future transmission.
The attacks come in the wake of warnings by officials and outside security experts that the United States is at risk of a cyber attack that could cause major physical damage or even cost lives. President Barack Obama has told Congress that some hackers were looking for ways to attack the U.S. power grid, banks and air traffic control systems.
While the zombie hoax appeared to be somewhat innocuous, the relatively easy incursion showed that hackers might be able to wreak havoc with more alarming communications.
“It isn’t what they said. It is the fact that they got into the system. They could have caused some real damage,” said Karole White, president of the Michigan Association of Broadcasters.
White and her counterpart in Montana, Greg MacDonald, said they believed the hackers were able to get in because TV stations had not changed the default passwords they used when the equipment was first shipped from the manufacturer.
But Mike Davis, a hardware security expert with a firm known as IOActive Labs, said hackers could still get past new passwords to remotely access the systems.
Davis said he had submitted a report to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, or US-CERT, about a month ago that detailed the security flaws.
“Changing passwords is insufficient to prevent unauthorized remote login. There are still multiple undisclosed authentication bypasses,” he told Reuters via email. “I would recommend disconnecting them from the network until a fix is available.”
Davis said he was able to use Google Inc’s search engine to identify some 30 systems that he believed were vulnerable to attack as of Wednesday morning.
A spokesman for US-CERT said he could not immediately comment on the matter.
MANY WAYS IN
Stuart McClure, chief executive of cyber security firm Cylance Inc., said he had investigated cases in which hackers accessed EAS systems via a different method: breaking into hidden accounts built into the systems by manufacturers so that service technicians can easily access them for repairs.
“You cannot give a separate pass code to everybody. Nobody is going to remember it. You have to share the secret,” said McClure, who previously ran a unit at Intel Corp’s McAfee security division that investigated cyber attacks.
He declined to discuss the cases he had worked on, saying that would violate client confidentiality.
Broadcasters and security experts warned that attacks on the Emergency Alert System could undermine the government’s ability to communicate with the public in times of crisis.
“While EAS may not control nuclear power or hydroelectric dams or air traffic control, it can be used to cause widespread panic,” McClure said.
Indeed, far worse than broadcasting zombie jokes, hackers who are able to gain control of the equipment could prevent authorities from warning the public about actual emergencies, McClure added.
Federal Emergency Management Agency spokesman Dan Watson said that the “zombie” breach did not have any impact on the government’s ability to activate the Emergency Alert System.
’BODIES ARE RISING’
The “zombie” hackers targeted two stations in Michigan, and several in California, Montana and New Mexico, White said.
A male voice addressed viewers in a video posted on the Internet of the bogus warning broadcast from KRTV, a CBS affiliate based in Great Falls, Montana: “Civil authorities in your area have reported that the bodies of the dead are rising from the grave and attacking the living.”
The voice warned not “to approach or apprehend these bodies as they are extremely dangerous.”
Bill Robertson, vice president of privately held electronics manufacturer Monroe Electronics of Lyndonville, New York, told Reuters that equipment from his company had been compromised in at least some of the attacks after hackers gained access to default passwords.
Monroe publishes the default passwords for its equipment in user manuals that can be accessed on its public website.
Robertson said that he believed attackers had been able to access the devices over the Internet because television stations had not properly secured the equipment behind fire walls, which is what Monroe recommends.
“The devices were not really locked down right. They were exposed,” he said.
He said that the company was working to beef up security on the equipment and might update its software to compel customers to change default passwords.