A hacker may have done the industry, and perhaps the country, a favor on Monday, Feb. 11. That’s the day someone hacked and took control of the CAP EAS system at KRTV Great Falls, MT. The station aired what would have appeared as a standard EAS test or alert, beginning with the familiar and purposely annoying header tones and a top-of-screen crawl. What followed next was an audio message saying “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages on screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”
On Tuesday, Feb. 12, the FCC issued the following advisory to EAS participants, and manufacturers of EAS insertion equipment distributed the advisory to known customers and those who registered for e-mail from CAP EAS encoding/decoding equipment manufacturers, or have requested support from CAP EAS encoding/decoding equipment manufacturers in the past:
From the FCC, February 12, 2013. Urgent Advisory: Immediate actions to be taken regarding CAP EAS device security.
All EAS Participants are required to take immediate action to secure their CAP EAS equipment, including resetting passwords and ensuring CAP EAS equipment is secured behind properly configured firewalls and other defensive measures. All CAP EAS equipment manufacturer models are included in this advisory.
All Broadcast and Cable EAS Participants are urged to take the following actions immediately
1. EAS Participants must change all passwords on their CAP EAS equipment from default factory settings, including administrator and user accounts.
2. EAS Participants are also urged to ensure that their firewalls and other solutions are properly configured and up-to-date.
3. EAS Participants are further advised to examine their CAP EAS equipment to ensure that no unauthorized alerts or messages have been set (queued) for future transmission.
4. If you are unable to reset the default passwords on your equipment, you may consider disconnecting your device’s Ethernet connection until those settings have been updated.
5. EAS Participants that have questions about securing their equipment should consult their equipment manufacturer.
Later the same day, probably not coincidentally, President Obama issued an executive order and a related presidential policy directive to strengthen America’s cyber security.
Rumor mills rev up
The event is rapidly becoming infamous, and speculation is growing as the story spreads. As I began investigating this event, rumors abounded. Some are saying a few stations in New Mexico, California and Michigan were also affected. I’ve yet to see any reports, air checks or logging data to verify these stories other than KRTV. Part of the problem may have been that some other stations aired the video posted on YouTube as a news story or kicker.
As Darryl Parker, senior vice president at TFT suggested to me, airing of the clip including the header could trip more EAS receivers and confuse viewers. The story may be a bit stale by now, but make sure your newsroom doesn’t inadvertently become part of the story by airing this viral video. This is actually a violation of FCC Rules. CFR 47 11.45 says: "No person may transmit or cause to transmit the EAS codes or Attention Signal, or a recording or simulation thereof, in any circumstance other than in an actual National, State or Local Area emergency or authorized test of the EAS. Broadcast station licensees should also refer to §73.1217 of this chapter."
I contacted all the stations reported to have aired the zombie alert and am awaiting response, but I’m not holding my breath. What could anyone say other than something along the lines of, “I stepped off the curb and got hit by an unidentified bus?” Fact is that nobody at any station controls the installed CAP EAS monitoring and insertion equipment. On the other hand, as the FCC immediately advised, changing the password and ensuring an effective firewall is vital.
In these days of androids, iPhones and the like, a hacker doesn’t need a T-1 or a doctorate in computer science to hack into a system. Broadcasters have just been personally schooled in 21stcentury cyber-threats. Fortunately, this reminder was somewhat innocuous. Clearly, however, call letters, tall towers and local celebrity make broadcasters an attractive target.
Good and bad
For all the cool stuff the Internet brings to broadcasters, such as the ability to control all sorts of things from routers to transmitters from a hand-held mobile device, there’s an equivalent amount of danger and risk in the form of hackers. The more we rely on IT infrastructure connected to the Internet, the more vulnerable we are to external hackers. This should come as no surprise to broadcasters or IT experts. This time the surprise is, to paraphrase General Buck Turgidson in the 1960s classic movie "Dr. Strangelove," we got caught with our pants down.
The simplistic explanation in this case is that someone didn’t update their insertion system password from the factory default. Some manufacturers post default passwords on the Internet in user manuals, and who wouldn’t guess the usual default passwords such as “admin” and “password?” We don’t know exactly how the zombie hacker gained access because the facts aren’t all in yet. What we do know is that in CAP EAS, there can be ways to bypass the password through the back door. The entire CAP EAS protocol structure is public record.
The threat of hackers isn’t limited to what stations air. Telephone hacking demolished a UK-based newspaper and continues to bring down some UK reporters. Stories and photos of electronic road warning sign hacks are not uncommon. On Dec. 18, 2011, this newsletter reported on a spooky cell phone EAS hacking incident that took place in New Jersey. Clearly, digital electronics can and will be hacked.
In radio and television broadcasting, it’s up to engineers, from design engineers to local station engineers, to protect their gear and facilities from all forms hacking. Some might call the EAS zombie incident a prank. Others, such as the federal government, might count the incident as cyber warfare. I think the zombie hacker did us a favor because what happened shines a blinding light through holes in the CAP EAS system, particularly in this era of unattended station operation.
Not coincidently, a report for the FCC is being prepared by an FCC advisory group known as the Communications Security and Reliability Council on end-to-end security threats and improvements that may be needed. The Council includes several CAP EAS manufacturers. The report has been in progress for some time and will be delivered in March. It is not a specific response to the zombie incident but will likely identify some of the holes the zombie hacker used.
Change the locks
At many broadcast stations, engineers are in charge of facility security and, therefore, must always keep security in the forefront. However, security is such a broad term; we know about physical and personal security, but some may still be a bit naive about cyber-security. We hear about Internet security threats so frequently that it’s easy to tune it out. Let’s review the basics.
Strong passwords are your first line of defense. Using your station’s call letters or street address is an open invitation to even the dumbest hacker, let alone a fully automated password guesser. Strong passwords include those with caps and lower case letters, symbols, numbers and spaces. Fewer than eight characters are considered easy to hack. Twelve- or 16-character passwords, including numbers, spaces and symbols, are much stronger.
As important as strong passwords in the defense of your system are firewalls. Consumer routers typically include a firewall, and you get what you pay for. Stronger industrial-strength firewalls are found in “Enterprise” class routers. This class of router is generally only available from larger manufacturers and is not usually found on shelves in neighborhood box stores. Spam filtering and proxy servers can also enhance security.
Keep all software up-to-date. Some experienced engineers may be hesitant because they’ve been burned by an update or two, but modern upgrades are typically transparent to the system. If you have questions about an update, contact the manufacturer of the equipment. Some gear, such as older PC-based gear, may be sensitive to OS upgrades. If you own such a system, don’t connect it to the Internet, and don’t use flash drives that haven’t been fully verified virus-free by the latest antivirus software on the latest operating system. PC-based systems must be considered stand-alone appliances and kept away from the Internet. What was once considered an air-gap can be compromised by Wi-Fi or Bluetooth.
Frequently monitor systems for breaches and threats. News reports of the zombie hack included another station that had been monitoring its EAS system log and found multiple attempts to use the back door to try passwords in the days leading to the zombie event. Make such systems checks a regular part of your daily routine. Additionally, there is a variety of integrity auditing tools available that will report if and when changes have been made at the system level. Most begin with a snapshot of the system when it is known to be operating optimally. There are numerous such tools available for virtually every popular operating system, open and closed. Know them, use them and sleep better knowing you’re working smarter than the person trying to hack you.
Ultimately, everything you really need to know about security can be said in two words: Be skeptical.