Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Hackers can hijack unpatched Emergency Alert System devices, broadcast bogus warnings

Darlene Storm | July 10, 2013
Security researchers with IOActive have been sitting on the flaws, quietly waiting for CERT to contact the vendor, which then produced a patch for the vulnerability.

Back in 2011, FEMA was not amused when there was talk about hacking FEMA's EAS to hijack all radio and TV stations in the US. The agency responded that EAS "already has adequate safety and security measures in place to ensure that it will only be used by appropriate officials as a way to communicate with the American people in the event of a real emergency."

But in February 2013, a Montana TV station broadcast an emergency alert warning about the zombie apocalypse. A hacker hijacked the system before sending the emergency alert: "Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages on screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous."

"We were hacked and we're not proud of it." Duane Ryan, director of programming at KENW in Portales, New Mexico, admitted the station had failed to change the vendor's default username and password on its EAS computers. "We've changed them now."

Carnegie Mellon University (CMU) Software Engineering Institute (SEI) CERT Program first issued a vulnerability note about the EAS devices, including a reminder to change the default password. Believe it or not, using the factory-default password is a big problem for our nation's critical infrastructure systems connected online. So much so that both US-CERT and ICS-CERT recently warned that changing the manufacturer's default password is "imperative," since brute force cyberattacks against critical infrastructure, especially the energy sector, are increasing.

ICS-CERT wrote, "DASDEC users can obtain the DASDEC v2.0-2 software update and release notes by contacting support@digitalalertsystems.com."

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.