EAS Hack has Engineers on Alert

MULTIPLE CITIES – A hack into the nation’s Emergency Alert System this week that coincided with a threat by Anonymous to disrupt the State of the Union Address on Tuesday has broadcast engineers buzzing.

“They aren’t just trying to get in through the Web interface!” one engineer wrote on an online EAS forum. “As we speak - all of our ‘exposed’ boxes have a bot knocking on them, trying to access the root or NOUSER passwords to the shell/terminal—not just the Web interface! So far on our boxes—they have been unsuccessful, as we’ve changed our root passwords, and they aren’t based on a dictionary word.”
He said the bot knocks were coming through a Tor network, which disguises the physical location of actual IP addresses.

“It seems from their fingerprints that they are not from a single person [or] source,” he said.

KRTV-TV in Great Falls, Mont., WBKP-TV, WBUP-TV and WNMU-TV in Marquette, Mich.; and KNME/KNDM in Albuquerque, N.M. were reported to have carried a bogus EAS message about zombies rising from graves on Monday. Stations in Utah and California may also have received the alert. Greg MacDonald, president and CEO of the Montana Broadcasters Association, said preliminary reports indicated the attacks were initiated overseas, according to KRTV.

Broadcast engineer Barry Mishkind is reporting that at least six stations were affected, and that none had changed default passwords on EAS equipment, or had firewalls between the equipment and the Internet. He noted that the attacks followed an 11-hour outage of the Integrated Public Alert and Warning System server managed by the Federal Emergence Management Agency.

IPAWS is the relatively new, IP-based emergency warning network that broadcasters now monitor for alerts from a variety of sources, including the Emergency Alert System. FEMA administers the system. Outages were reported in mid-December, due to complications from an upgrade.

A FEMA spokesman told Radio World’sLeslie Stimson that the zombie attack did not breach or compromised the IPAWS, and that it had “no impact on FEMA’s ability to activate the Emergency Alert System.”

The EAS typically is used for severe weather warnings, AMBER Alerts and other public-safety messages. It also can be activated by the President of the United States to issue a nationwide warning carried simultaneously by all cable TV systems, radio stations and broadcast television stations. The zombie attack came a day before President Obama delivered a State of the Union Address issuing an executive order to increase cybersecurity. Hacker group Anonymous had threatened to disrupt streaming coverage of the speech, but failed to do so, CNETreported. No president has ever activated the EAS to issue a message.

EAS expert Richard Rudman added that no EAS hack attacks were reported during the Tuesday evening address from Washington, D.C.

The zombie thread on the EAS Forum indicates that engineers are busy identifying and closing security holes. Remote monitoring of EAS equipment should be done only through a secure network, one writes. Another said IP addresses attempting brute-force logins could be blacklisted. Encoders/decoders may need to be updated to newer versions of operating software, for example. All seem to agree that changing passwords and setting up firewalls are imperative to start.

The Federal Communications Commission said as much Tuesday in an urgent advisory that was passed on to the membership of the National Association of Broadcasters. Other than the advisory, the FCC has not commented on the hack. FEMA has said only that it is supporting the FCC and other federal agencies—which many assume to be the FBI—in investigating the incident.

In the meantime, the source of the hack remains unknown. Mishkind cited a 2009 video from YouTube (below) as the possible source for the zombie warning. The type of tones in the video can trigger EAS gear and are illegal to record or reproduce, but they occasionally make it into a news broadcast. EAS tones appeared in a piece on NBC’s “Today Show” in 2011 when broadcasters were preparing for a nationwide test of the new system.

On Tuesday, a radio station in La Crosse, Wis., replayed the zombie alert and triggered another downstream station’s EAS receiver, according to the La Crosse Tribune. The station, WKBT-TV, wound up issuing the zombie alert.