Default TV station passwords enabled zombie attack hack

Tools

Zombie passwords were the source of the hoax zombie-attack announcement that was broadcast on Feb. 11 by television stations in California, Michigan, Montana and New Mexico. The problem was a classic remote-site IT issue: equipment that still had the default passwords programmed in by the manufacturer, and hadn't been protected by firewalls, according to a report from Reuters.

The Federal Communications Commission's response was standard IT procedure, too. On Tuesday, the FCC told television stations to change default passwords, secure equipment behind firewalls and check to make sure no other fake alerts were queued for future transmission.

The hoax announcement, broadcast through the Emergency Alert System that's typically used for severe-weather warnings, warned that "Civil authorities in your area have reported that the bodies of the dead are rising from the grave and attacking the living." The hoax was apparently easy to perpetrate because the TV stations involved had never changed the default passwords, which are included in equipment manuals available online.

At least one EAS equipment vendor says it is considering adding code that will force users to change the default password the first time the equipment is powered up. But security researchers have also identified unpublished repair and update passwords, which have been used in the past to break into EAS servers.

One researcher, Mike Davis at IOActive Labs, said he had reported "multiple undisclosed authentication bypasses" in EAS systems a month ago to the Department of Homeland Security's U.S. Computer Emergency Readiness Team, and was able to identify 30 vulnerable EAS systems with a Google (NASDAQ: GOOG) search.

Nor is the threat limited to local TV stations. Any business that has remote offices without their own onsite IT security staffers is at risk from the "zombie password" problem, either from default or easy-to-guess passwords. IT appliances can dramatically ease the process of dropping new business functions into a remote site--and when it's so easy that non-IT staff can install it, security is almost guaranteed to be compromised unless central IT staff either walk users through the configuration or install it themselves.

For more:
- see Jim Finkle's article at Reuters

Related Articles:
Public, private sectors seeking ways to replace passwords
Why the Times let hackers stay awhile
Hackers hold medical center's patient data hostage