Editor’s Note: Updated to include information on the brand of EAS device that was compromised. – PFR 2/14/2013
OK – the good news is that the dead aren’t rising from their graves and the Zombie Apocalypse hasn’t begun (yet…).
The bad news: a phony EAS (Emergency Alerting System) warning about just such a cataclysm earlier this week may have been the result of a hack of what one security researcher says are known vulnerabilities in the hardware and software that is used to distribute emergency broadcasts to the public in the U.S.
The warning from Mike Davis, a Principal Research Scientist at the firm IOActive, comes just days after unknown hackers compromised EAS systems at television stations in the U.S. and broadcast a bogus emergency alert claiming that the “dead were rising from their graves” and attacking people. Published reports say that at least four television stations were the victims of the hoax: WBKP and WNMU in Marquette, Michigan; KNME/KNDM in Albuquerque, New Mexico; and KRTV in Great Falls, Montana.
A hold over from The Cold War, the Emergency Alert System (formerly: the Emergency Broadcast System) is jointly coordinated by FEMA, the Federal Communications Commission (FCC), and the National Weather Service (NOAA/NWS). Its purpose is to alert the public about local weather emergencies and is designed to enable EAS is designed to enable the President to speak to the entire United States via a nationwide EAS broadcast. Radio, television and cable and satellite TV stations are required by federal law to broadcast EAS messages.
But Davis of IOActive said that he discovered and reported a number of critical vulnerabilities in a key component of the EAS system: multi-function hardware known as a CAP EAS device. CAP refers to the Common Alerting Protocol, a successor to EAS.
In an interview with Reuters, Bill Robertson, a Vice President at the firm Monroe Electronics in Lydnonville, New York, confirmed that his company’s CAP EAS devices were compromised in at least some of the attacks. Hackers took advantage of a factory default password that was published in Monroe documentation for the company’s R-189 devices to log into the boxes and insert the bogus message.
Robertson said that customers who failed to change the default password, which was printed in company documentation that could be downloaded from Monroe’s public web site.
“They were compromised because the front door was left open. It was just like saying ‘Walk in the front door,’” he told Reuters.
Davis said he and a colleague downloaded and analyzed firmware for the dominant manufacturer of so-called CAP-EAS devices and found that the software was rife with critical, easily exploitable security vulnerabilities. Davis
declined to name the vendor whose software he analyzed, but confirmed to The Security Ledger that Monroe was the vendor whose product he analyzed and said he reported the issues to the Department of Homeland Security’s ICS-CERT.
CAP-EAS devices are essentially IP-enabled network devices that encode and decode encrypted messages, via radio and, now, XML, Davis said. The CAP-EAS devices authenticate the EAS messages they receive and, if they check out, schedule them to interrupt the current broadcast. Those broadcasts cannot be interrupted.
With the move to the CAP system, these devices have added a slew of functionality that turns them into multi purpose, Internet connected devices capable of sending and receiving e-mail, hosting web pages and uploading and downloading files via FTP.
“They’re just little embedded machines that use off the shelf hardware and software,” he said.
Unfortunately, Davis said the device he studied lacked even basic security features. “There are a whole bunch of layers to this, but it ultimately comes down to badly written software and not following best practices, he said.” In addition to exploitable software vulnerabilities, the device he studied contained encoded passwords and other embedded secrets. Though the details of the attack on the television stations isn’t known, an urgent alert from the FCC about the incident suggests that default credentials may have been used to protect the devices that were compromised.
The FCC memorandum instructed broadcasters to deploy CAP EAS system behind a firewall and to update default user accounts and passwords.
Davis said he has not heard from the vendor regarding his findings, and had been planning to reach out when the news of the Zombie Apocalypse hit.
EAS systems, like other critical infrastructure, have developed along a parallel evolutionary path from mainstream technology – with few exposure to traditional Internet threats and, therefore, more lax practices around protocol design and implementation. Now that those devices have become accessible over the Internet, weak security and poor design decisions are coming to light, he said.
The vulnerability of the EAS system is bound to raise eyebrows within the Washington D.C. policy community. Though the zombie invasion was not a plausible “emergency,” the attackers could easily have used their acces to drive people into the streets with warnings bout a real threat, such as a tornado or terrorist attack.
The bogus zombie attack also came just ahead of the President’s State of the Union address, in which he called out the job of protecting the nation against cyber attacks a top priority.