* FCC orders broadcasters to change passwords on equipment
* Experts say emergency equipment still vulnerable
* Experts say hackers could prevent govt from issuing alerts
By Jim Finkle
Feb 14 The zombie attack alert issued on a
handful of U.S. TV stations this week is more serious than a
mischievous hacker prank say cyber experts, who warn the
incident exposes lax security practices in a critical public
safety system.
While broadcasters said poor password security paved the way
for the bogus warning, security experts said the equipment used
by the Emergency Alert System remained vulnerable when stations
allow it be accessed via the public Internet.
The fear is that hackers could prevent the government from
sending out public warnings during an emergency or attackers
could conduct a more damaging hoax than a warning of a zombie
apocalypse.
"It isn't what they said. It is the fact that they got into
the system. They could have caused some real damage," said
Karole White, president of the Michigan Association of
Broadcasters.
Following the attacks on Monday, broadcasters were ordered
to change the passwords for the EAS equipment.
The Federal Communications Commission (FCC) would not
comment on the attacks, but in an urgent advisory sent to
television stations on Tuesday said: "All EAS participants are
required to take immediate action."
It instructed them to change passwords on equipment from all
manufacturers used to deliver emergency broadcasts. The FCC
instructed them to ensure gear was properly secured behind
firewalls and to inspect systems to ensure that hackers had not
queued "unauthorized alerts" for future transmission.
VULNERABLE
The attacks come after warnings by government officials and
outside security experts that the United States is at risk of a
cyber attack that could cause major physical damage or even cost
lives. President Barack Obama told Congress on Tuesday that some
hackers were looking for ways to attack the U.S. power grid,
banks and air traffic control systems.
White and her counterpart in Montana, Greg MacDonald, said
they believed the hackers were able to get in because TV
stations had not changed the default passwords they used when
the equipment was first shipped from the manufacturer.
But Mike Davis, a hardware security expert with a firm known
as IOActive Labs, said hackers could still get past new
passwords to remotely access the systems.
Davis said he had submitted a report to the Department of
Homeland Security's U.S. Computer Emergency Readiness Team, or
US-CERT, about a month ago that detailed the security flaws.
"Changing passwords is insufficient to prevent unauthorized
remote login. There are still multiple undisclosed
authentication bypasses," he told Reuters via email. "I would
recommend disconnecting them from the network until a fix is
available."
Davis said he was able to use Google Inc's search
engine to identify some 30 systems that he believed were
vulnerable to attack as of Wednesday morning.
Privately held Monroe Electronics, whose equipment was
compromised in Monday's attacks, said it was still evaluating
the risks.
"The situation appears to just be the password stuff, but we
are looking at anything else and everything that might come into
play," Vice President Bill Robertson told Reuters.
A spokesman for US-CERT said he could not immediately
comment on the matter.
'BODIES ARE RISING'
The zombie hackers targeted two stations in Michigan, and
several in California, Montana and New Mexico, White said.
A male voice addressed viewers in a video posted on the
Internet of the bogus warning broadcast from KRTV, a CBS
affiliate based in Great Falls, Montana: "Civil authorities in
your area have reported that the bodies of the dead are rising
from the grave and attacking the living."
The voice warned not "to approach or apprehend these bodies
as they are extremely dangerous."
Stuart McClure, chief executive of cyber security firm
Cylance Inc, said he had investigated cases in which hackers
accessed EAS systems via a different method: breaking into
hidden accounts built into the systems by manufacturers so that
service technicians can easily access them for repairs.
"You cannot give a separate pass code to everybody. Nobody
is going to remember it. You have to share the secret," said
McClure, who previously ran a unit at Intel Corp's
McAfee security division that investigated cyber attacks.
Electronics industry experts said that it is tough for some
broadcasters to follow all security guidelines because staff at
small stations lack the expertise to do so.
The equipment that was compromised obtains emergency
broadcasts by frequently using the Internet to make outward
calls to trusted government servers. When it finds an alert on
one of those servers, it broadcasts it on that station.
Monroe Electronics said its gear is designed to let stations
make outgoing queries, but still keep outsiders from getting in.
It recommends against unsecured access to the Internet. "It's
the wild, wild West," said Robertson.
He said the equipment sometimes gets exposed to the open
Internet because it is not properly configured or because
engineers want remote access when they are on call.
Robertson said the company was working to beef up security
on the equipment and might update its software to compel
customers to change default passwords.
Federal Emergency Management Agency spokesman Dan Watson
said that the zombie breach did not have any impact on the
government's ability to activate the Emergency Alert System.