A few days ago, a few TV and radio stations sent out alerts that “dead bodies are rising from their graves and attacking the living. Do not approach or apprehend these bodies as they are extremely dangerous.”
This was not an accurate alert.
How it was generated appears to be a classic case of “oh nobody will ever bother that box in the corner” security philosophy. A researcher who spent some time perusing the firmware of similar devices to those used in the attack suggests it’s easy to bypass authentication measures, and there are even possibly-unintentional backdoors.
One interesting feature of the Emergency Alert System is that it’s designed to pick up and spread messages virally. If one station gets a message, other stations around it that happen to be monitoring it (each station has to be monitoring two nearby ones) will pick up the message and rebroadcast.
From a survivability perspective, this is great. Even if key transmission points are knocked out, the message still goes through.
From a security perspective, this is terrible. Instead of limiting the damage from one or more weak points as most systems do, this actively spreads it.
(The only reason the message in this case didn’t go further is that the system does self-limit — not all stations will be monitoring compromised or compromise-rebroadcasting ones — and that the message here contained a header explicitly limiting it to a geographic area.)
Some very rich people nevertheless appear to be betting on zombies in March. (“Beware the Ides of March!”)
Not only has someone put $11 million on market volatility going up before April (http://www.businessinsider.com/art-cashin-on-big-vix-bet-2013-2), but someone also put 200x more than average on banks taking a dive between March and April(http://www.businessinsider.com/massive-options-bet-against-bank-etf-2013-2).
On Monday, attackers were able to get access to an ENDEC machine at a TV station in Great Falls, Mont., and send out a fake emergency alert that warned of an ongoing zombie apocalypse. Reports suggest that attackers also went after ENDECs at other TV stations, as well. It’s not clear what bugs the attackers were exploiting in those machines, but Mike Davis, principal research scientist at security firm IOActive, said that he found some vulnerabilities in ENDECs made by popular manufacturers that could enable an attacker to do exactly what the Montana hackers did.
The problems lie in the firmware loaded on the ENDECs. These machines are designed to receive encoded messages from the EAS, decode and authenticate them and then broadcast them over the air. The system is designed to be automated and it has to sit on a network, rather than as a standalone box in a station. Many of these boxes are discoverable on the Internet, Davis said, which makes them available to attackers. Davis said that he spent a few hours one day looking at the firmware on these devices, as a sideline from another research project, and found a number of vulnerabilities, the most serious of which allowed him to log in remotely to an ENDEC and insert a message that would be broadcast over the EAS.[…]
“There is some really, really, terrible software on the other side of that box,” Davis said. “There are some known issues like authentication bypasses and what I would call back doors, although I don’t know if they were meant that way. While I can’t provide authenticated messages [from the EAS system itself], I can log into all of them and insert authenticated messages.”
Davis is not identifying the manufacturers of the vulnerable products because the bugs have not been fixed.
The EAS system uses the Common Alerting Protocol (CAP), an XML-based protocol that sends messages out continuously to ENDECs during an emergency. The protocol has a few features, including the ability for users to send messages that are location-specific so that emergencies in one area don’t generate alerts that overlap into unaffected areas. Davis said that CAP, unlike the protocol used on the older Emergency Broadcast System, has a cryptographic authentication mechanism, but it isn’t sufficient.