Broadcasters blame zombie hack on easy passwords

Thu Feb 14, 2013 9:01pm IST

People dressed as zombies attend a Zombie Walk in Caracas November 3, 2012. REUTERS/Carlos Garcia Rawlins/Files

People dressed as zombies attend a Zombie Walk in Caracas November 3, 2012.

Credit: Reuters/Carlos Garcia Rawlins/Files

Related Topics

Stocks

   
Priyanka Gandhi Vadra, daughter of Congress party chief Sonia Gandhi, adjusts her flower garlands as she campaigns for her mother during an election meeting at Rae Bareli in Uttar Pradesh April 22, 2014. REUTERS/Pawan Kumar

Election 2014

More than 814 million people — a number larger than the population of Europe — are eligible to vote in the world’s biggest democratic exercise.  Full Coverage 

REUTERS - Poor password security allowed hackers to broadcast a bogus warning on TV networks that the United States was under attack by zombies, broadcasters said, and one expert in the technology said the emergency channel they broke into remained vulnerable.

The attacks on Monday on a handful of stations prompted the government to order broadcasters to change passwords for the equipment that authorities use to instantly push out emergency broadcasts through what is known as the Emergency Alert System, or EAS.

The FCC would not comment on the attacks, but in an urgent advisory sent to television stations on Tuesday the agency said: "All EAS participants are required to take immediate action."

It instructed them to change passwords on equipment from all manufacturers that forces emergency broadcasts on to television networks, interrupting regular programming. It instructed them to make sure that gear was secured behind firewalls and to also inspect systems to ensure that hackers had not queued "unauthorized alerts" for future transmission.

The attacks came at a time when officials and outside security experts are warning the United States is at risk of a cyber attack that could cause major physical damage or even cost lives. President Barack Obama has told Congress that some hackers are looking for ways to attack the U.S. power grid, banks and air traffic control systems.

While the zombie hoax appeared to be somewhat innocuous, the fact that hackers could easily broadcast an emergency message showed that they might be able to wreak havoc with more alarming communications.

"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," said Karole White, president of the Michigan Association of Broadcasters.

White and her equivalent in Montana, Greg MacDonald, said they believed the hackers were able to get in because stations had not changed the default passwords they used when they shipped from the manufacturer.

The "zombie" hackers targeted two stations in Michigan, and several in California, Montana and New Mexico, White said.

A male voice addressed viewers in a video posted on the Internet of the bogus warning broadcast from KRTV in Great Falls, Montana, a CBS affiliate: "Civil authorities in your area have reported that the bodies of the dead are rising from the grave and attacking the living."

The voice warned not "to approach or apprehend these bodies as they are extremely dangerous."

STILL VULNERABLE

Larry Estlack, chairman of the Michigan Emergency Alert System, told Reuters that passwords sometimes do not get changed because the EAS uses equipment that is not easy to set up.

"Some people have trouble gettiing through the setup procedure. It is fairly complex," he said.

But Mike Davis, a hardware security expert with a firm known as IOActive Labs, said there were other ways to remotely access the systems that would allow hackers to bypass password checks even if they were changed.

Davis said he had submitted a report to the Department of Homeland Security's U.S. Computer Emergency Readiness Team, or US-CERT, about a month ago that detailed security flaws in EAS equipment that he warned make it vulnerable to attacks.

"Changing passwords is insufficient to prevent unauthorized remote login. There are still multiple undisclosed authentication bypasses," he told Reuters via email. "I would recommend disconnecting them from the network until a fix is available."

Davis also said he was able to use Google Inc's (GOOG.O) search engine to identify some 30 systems that he believed were vulnerable to attack as of Wednesday morning.

Officials with US-CERT could not be reached.

Bill Robertson, vice president of privately held electronics manufacturer Monroe Electronics of Lyndonville, New York, told Reuters that equipment from his company had been compromised in at least some of the attacks after hackers gained access to their default passwords.

Monroe publishes the default passwords for its equipment in user manuals that can be accessed on its public website.

Robertson said that he believed attackers had been able to access the devices over the Internet because television stations had not properly secured the equipment behind fire walls, which is what Monroe recommends.

"The devices were not really locked down right. They were exposed," he said.

He said that the company is working to beef up security on the equipment and may update its software so that it forces customers to change default passwords.

"They were compromised because the front door was left open. It was just like saying 'Walk in the front door,'" he said.

Federal Emergency Management Agency spokesman Dan Watson said the breach did not have any impact on the government's ability to activate the Emergency Alert System.

(Reporting by Jim Finkle; Editing by Lisa Shumaker and Patrick Graham)

FILED UNDER:
Comments (0)
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

  • Most Popular
  • Most Shared

Legal Trouble

REUTERS SHOWCASE

Hacking Threat

Hacking Threat

All at sea: global shipping fleet exposed to hacking threat.  Full Article 

Mt. Gox Update

Mt. Gox Update

Tokyo Court orders bankruptcy trustee to begin Mt. Gox liquidation .  Full Article 

Net Neutrality

Net Neutrality

U.S. regulators to propose new net neutrality rules in May.  Full Article 

Facebook Results

Facebook Results

Facebook Q1 revenue grows 72 percent on rising mobile ads.  Full Article | Related Story 

Huawei Shrugs

Huawei Shrugs

China's Huawei says reports of NSA spying won't impact growth  Full Article 

Betting on Content

Betting on Content

AOL, Microsoft lure advertisers with TV-style shows.  Full Article 

Restructuring Plans

Restructuring Plans

Zynga's Pincus withdraws from operations amid turnaround.  Full Article 

Security Threat

Security Threat

FBI warns healthcare sector vulnerable to cyber attacks.  Full Article 

Online Streaming

Online Streaming

Amazon grabs rights to stream older HBO shows.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device.  Full Coverage