MULTIPLE CITIES –
into the nation’s Emergency Alert System this week that coincided with a threat
by Anonymous to disrupt the State of the Union Address on Tuesday has broadcast
“They aren’t just trying to get in through the Web interface!” one engineer
wrote on an online EAS forum. “As we speak - all of our ‘exposed’ boxes have a
bot knocking on them, trying to access the root or NOUSER passwords to the
shell/terminal—not just the Web interface! So far on our boxes—they have been
unsuccessful, as we’ve changed our root passwords, and they aren’t based on a
He said the bot knocks were coming through a Tor network, which disguises the physical
location of actual IP addresses.
“It seems from their fingerprints that they are not from a single person [or] source,”
KRTV-TV in Great Falls, Mont., WBKP-TV, WBUP-TV and WNMU-TV in Marquette,
Mich.; and KNME/KNDM in Albuquerque, N.M. were reported to have carried a bogus
EAS message about zombies rising from graves on Monday. Stations in Utah and
California may also have received the alert. Greg MacDonald, president and CEO
of the Montana Broadcasters Association, said preliminary reports indicated the
attacks were initiated overseas, according to KRTV
Broadcast engineer Barry
is reporting that at least six stations were affected, and that
none had changed default passwords on EAS equipment, or had firewalls between
the equipment and the Internet. He noted that the attacks followed an 11-hour
outage of the Integrated Public Alert and Warning System server managed by
the Federal Emergence Management Agency.
IPAWS is the relatively new, IP-based emergency warning network that
broadcasters now monitor for alerts from a variety of sources, including the
Emergency Alert System. FEMA administers the system. Outages
were reported in mid-December, due to complications from an upgrade.
A FEMA spokesman told Radio
Leslie Stimson that the zombie attack did not breach or
compromised the IPAWS, and that it had “no impact on FEMA’s ability to activate
the Emergency Alert System.”
The EAS typically is used for severe weather warnings, AMBER Alerts and other
public-safety messages. It also can be activated by the President of the United
States to issue a nationwide warning carried simultaneously by all cable TV
systems, radio stations and broadcast television stations. The zombie attack
came a day before President Obama delivered a State of the Union Address
issuing an executive order to increase cybersecurity. Hacker group Anonymous had
threatened to disrupt streaming coverage of the speech, but failed to do so, CNET
reported. No president has ever activated the EAS to issue a message.
EAS expert Richard Rudman added that no EAS hack attacks were reported during
the Tuesday evening address from Washington, D.C.
The zombie thread on the EAS Forum indicates that engineers are busy
identifying and closing security holes. Remote monitoring of EAS equipment
should be done only through a secure network, one writes. Another said IP
addresses attempting brute-force logins could be blacklisted. Encoders/decoders
may need to be updated to newer versions of operating software, for example.
All seem to agree that changing passwords and setting up firewalls are
imperative to start.
The Federal Communications Commission said as much Tuesday in an urgent advisory
was passed on to the membership of the National Association of Broadcasters. Other
than the advisory, the FCC has not commented on the hack. FEMA has said only
that it is supporting the FCC and other federal agencies—which many assume to
be the FBI—in investigating the incident.
In the meantime, the source
of the hack remains unknown. Mishkind cited a 2009 video from YouTube (below
) as the
possible source for the zombie warning. The type of tones in the video can
trigger EAS gear and are illegal to record or reproduce, but they occasionally
make it into a news broadcast. EAS tones appeared in a piece on NBC’s “Today
Show” in 2011 when broadcasters were preparing for a nationwide test of the new
On Tuesday, a radio station in La Crosse, Wis., replayed the zombie alert and
triggered another downstream station’s EAS receiver, according to the La
The station, WKBT-TV, wound up issuing the zombie