Why 'zombie' cyberattack is a real concern for Emergency Alert System

The Emergency Alert System was hacked this week by someone who inserted a warning that zombies were attacking the US. Funny, yes, but the vulnerabilities to cyberattack are real.

|
(AP Photo/The Record-Eagle, Keith King)
Kris Filion, left, and Brittney Filion, walk their dog, Coffee, as they near the finish line during the fourth annual Zombie Run 5k in Traverse City, Mich., last fall. Proceeds from the run/walk going toward TART Trails.
|
Achmad Ibrahim / AP
Participants dressed as zombies shamble forward in the annual Zombie Walk, a fundraiser in Jakarta, Indonesia, on Jan. 27. On Feb. 11, hackers used the U.S. Emergency Alert System to announce that Americans were under zombie attack.

The Emergency Alert System, intended as a last-ditch measure to enable the president to communicate to Americans in national emergencies, was hacked Monday by someone who inserted messages reporting that the nation was being attacked by zombies.

While the episode is not without humor, the hoax highlights that the EAS system is vulnerable to far more serious cyberattacks, cybersecurity experts say.

An EAS alert began unexpectedly at 8:36 p.m. on Feb 11, interrupting programming on two Michigan television stations with a message scrolling across the bottom of the screen, that read: “dead bodies are rising from their graves.” The alert also said the bodies were “attacking the living.”

In all, three Michigan TV stations were affected by the so-called “zombie” cyberattack, and another in Great Falls, Mont., was reported to have issued similar alerts. But the real problem is that such vulnerabilities could leave the nation open to fake alerts that look far more real than the “zombie” message and could potentially panic the public, broadcasters and other cybersecurity experts say.

"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," said Karole White, president of the Michigan Association of Broadcasters told Reuters. Underscoring the seriousness of the hack, federal agencies were reported to be investigating the attack – and no hacking group touted that it was responsible, as is common.

The zombie hack attack was particularly disturbing to broadcast engineers who work on the EAS system because of a series of concerns that preceded them.

The attacks followed an 11-hour outage of a key computer system that runs the Integrated Public Alert and Warning System (IPAWS) being developed by FEMA and the FCC. The system will eventually include not only the EAS, but digital capability to send alerts to cell phones and websites.

They also followed a threat by the hacktivist group “Anonymous” to disrupt President Obama’s State of the Union speech on the Internet.

In an “urgent advisory” this week, the Federal Communication Commission also required TV and radio broadcasters nationwide in the EAS to “take immediate action” including resetting passwords and securing EAS equipment “behind properly configured firewalls and other defensive measures.” The FCC did not respond by press time to requests for comment.

Cybersecurity and EAS experts both agree that at least some elements of the EAS system – which has its roots in the cold war and is intended to be a last ditch measure for the president to communicate with Americans – are vulnerable to intrusion via the Internet.

That fact was highlighted as researchers at IOActive, a Seattle cybersecurity company, reported Thursday on several vulnerabilities in EAS system equipment, which they had documented weeks earlier and reported to the US-Cyber Emergency Readiness Team, an arm of the Department of Homeland Security. IOActive experts said they expected to report those findings at a cybersecurity conference conference later this month.

But to other experts, the fact that EAS is vulnerable to being hacked is nothing new.

Matt Krick, chief engineer of New West Broadcasting Systems, Inc. an Arizona radio broadcaster, who also goes by the hacker handle "DCFluX," demonstrated a list of cyber-vulnerabilities in EAS equipment at a 2008 hacker conference. He is concerned, despite newer EAS equipment deployed since.

“The new EAS boxes have all of the same vulnerabilities I outlined 5 years ago, and more,” Mr. Krick writes in an e-mail interview. “It's like a giant electronic Swiss cheese with holes big enough to drive a truck through,” he writes. “My talk outlined the vulnerabilities of the old system in the hopes that someone would take notice and try to improve the current ‘Next generation.’ I even had people from state level EAS committees and FEMA shaking my hand and giving me their cards after the talk.”

Experts on the EAS system also agree that, despite modernized equipment, it is still vulnerable to an unknown degree. As long ago as 2004, the Federal Communications Commission pointed out the system suffers from security holes that leave it vulnerable to Internet-based attacks and could even permit hackers to issue false regional alerts.

“Security and encryption were not the primary design criteria when EAS was developed and initially implemented,” the FCC wrote in a public notice launching a review of the system at that time.

While some improvements have been made in the hardware – and new hardware required to be adopted by broadcasters – potential new vulnerabilities have been created as well, most notably, a requirement that the equipment be connected to the Internet as of June 30, 2012.

“It was absolutely true that the EAS system had vulnerabilities back then – and vulnerabilities still exist at various levels,” says Richard A. Rudman, vice chairman of the California EAS State Emergency Communications Committee. “We’ve got new equipment that has brought in a new level of concern because these EAS devices are now required to be connected to the Internet so they’re capable of receiving messages from the national level of EAS, including tests.”

Poorly configured firewalls to wall off the Internet, and default passwords, are not the end of the problem. Anything connected to the Internet is potentially vulnerable to be hacked and manipulated, Mr. Rudman and other cybersecurity experts note. But the core of the system is still safe, he maintains: the president’s ability to communicate directly to the American people.

“This zombie incident has clearly reminded people to do what should be done in the first place to properly configure firewalls and routers,” he says. “But the likelihood of someone getting into the EAS and causing a major problem throughout the country is remarkably low, almost to the point of being non-existent. Even so, the broadcast community and government are constantly looking at these concerns and trying to improve the security of the system.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Why 'zombie' cyberattack is a real concern for Emergency Alert System
Read this article in
https://www.csmonitor.com/USA/2013/0214/Why-zombie-cyberattack-is-a-real-concern-for-Emergency-Alert-System
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe