February 15, 2013

Zombie Apocalypse: Flaws In The Emergency Alert System

Easily exploited vulnerabilities in the emergency alert system (EAS) allowed attackers to log in to these boxes remotely and send fake emergency alerts like the one that interrupted a TV broadcast in Montana on Monday. The vulnerabilities allowed the attackers to bypass authentication and could lead to the compromising of the ENDEC machines that are responsible for sending out alerts over the EAS on TV and radio.

On Monday, attackers were able to get access to an ENDEC machine at a TV station in Great Falls, Mont., and send out a fake emergency alert that warned of an ongoing zombie apocalypse. Reports suggest that attackers also went after ENDECs at other TV stations, as well. It’s not clear what bugs the attackers were exploiting in those machines, but Mike Davis, principal research scientist at security firm IOActive, said that he found some vulnerabilities in ENDECs made by popular manufacturers that could enable an attacker to do exactly what the Montana hackers did.

The problems lie in the firmware; these machines are designed to receive encoded messages from the EAS, decode and authenticate them and then broadcast them over the air. The system is designed to be automated and it has to sit on a network, rather than as a standalone box in a station. Many of these boxes are discoverable on the Internet.  The EAS system uses the Common Alerting Protocol (CAP), an XML-based protocol that sends messages out continuously to ENDECs during an emergency. The protocol has a few features, including the ability for users to send messages that are location-specific so that emergencies in one area don’t generate alerts that overlap into unaffected areas. Davis said that CAP, unlike the protocol used on the older Emergency Broadcast System, has a cryptographic authentication mechanism, but it isn’t sufficient.

ENDECs are sometimes networked together in a way that enables them to relay messages to one another, so an attacker who could compromise one could conceivably cause problems on others, as well. While we can all laugh at the very well executed prank, malicious attackers could definitely exploit these vulnerabilities in a way that could cause panic and fear in people that may see the message.