On February 11, unsuspecting viewers in Montana, Michigan and other stations was interrupted by a warning from the Emergency Alert Service (EAS). In this case, the message couldn’t have been more dire: the dead were rising from their graves and attacking the living. Viewers were urged to stay away from the animated corpses, which were extremely dangerous.
If you hadn’t guessed: the EAS broadcasts were a hoax – the product of a hack of EAS systems operated by the channel and manipulated by as-yet unknown hackers. The stations affected by the hack issued apologies and everyone got a good chuckle. Zombie Apocalypse, indeed! But the story behind the hack is much less amusing, and exposed gaping security holes in a decades-old, federally managed system that disseminates critical, life saving information to the public.
The latest “Zombie Apocalypse” hacks, it turns out, were the result of weak password controls. Actually, “weak” is overstating things – “nonexistent” might be a better word. It turns out that KRTV and other stations never changed the default administrative passwords for CAP-EAS devices sold by the firm Monroe Electronics.
CAP-EAS systems are used to circulate EAS warnings. They can receive messages in a variety of formats, including via radio and, now, XML, Davis said. Once they receive a message, they authenticate it then schedule them for broadcast. The rules of the EAS system are that emergency broadcasts preempt the current broadcast, period, with no opportunity for review. That’s how the Zombie alert got such wide airplay despite it obviously being a hoax. In recent years, an updating of the EAS (formerly the Emergency Broadcast System) these devices have added a slew of functionality and, today, are IP enabled network boxes that can send and receive e-mail, host web pages and upload and download files via FTP.
But with great power comes great responsibility and, unfortunately, most broadcasters don’t have the staff or the wherewithal to understand all the various capabilities of their CAP-EAP boxes and to take steps to secure the devices. The boxes that were hacked in the Zombie Apocalypse could be accessed using a password that appeared in the device’s documentation – documentation that was freely accessible online. Beyond that, the devices weren’t firewalled, meaning that anyone who knew what to look for could find them using a search engine like Shodan, or even Google.
In an interview, Ed Zarnacki of Monroe Electronics told me that he knew of six customers who used that company’s R-189 CAP-EAP hardware who were hacked. None had changed the factory default password or taken any steps to secure their devices post deployment, despite explicit warnings in the company’s documentation of the need to protect the devices from unauthorized access.
Broadcasters have plenty of sound engineers on staff, Zarnacki told me. Computer software engineers and IT security staff are rare, however. That leaves a wide range of systems used by broadcasters open to compromise.
But blaming the end user only goes so far. Mike Davis, a Principal Research Scientist at the firm IOActive, told me in an interview that the Zombie Apocalypse incident came just a couple weeks after his firm reported a number of critical vulnerabilities in a Monroe’s CAP-EAS hardware.
Davis said that IOActive’s audits turned up evidence of “badly written software (and) not following best practices.” The devices rely on lots of “embedded secrets” including encoded passwords. Simply by downloading and analyzing the firmware for the R-189, Davis and his team were able to identify a variety of ways that the security of CAP-EAS devices could be bypassed and bogus EAS messages broadcast out to an unsuspecting public. And, while a Zombie Apocalypse warning will get lots of laughs, a bogus warning about a tornado or ebola outbreak could cause widespread panic.
Zarnacki said that Monroe is at work on a fix for the issues IOActive identified, but he’s also convinced that patching his company’s CAP-EAS hardware will only do so much. Going forward, there needs to be clearer guidelines for securing the EAS system and supervision – ideally by the federal government, he said. Yet, to date, no government agency or industry group has seriously addressed the issue of operational security with EAS. That needs to change.