Slashdot Mirror
Local Emergency Alert System Hacked, Warns Dead Rising From Graves
First time accepted submitter Rawlsian writes "Great Falls, Montana, television station KRTC issued a denial of an Emergency Alert System report that 'dead bodies are rising from their graves.' The denial surmises that 'someone apparently hacked into the Emergency Alert System...This message did not originate from KRTV, and there is no emergency.'"
Gotta get to the shopping mall. Stop at the sporting goods store and pick up some weapons and ammo. The zombies will feast on the easier targets for 30 days or so.
Those systems that were never meant to go on the internet were somehow available on the internet? It's too bad some broadcast stations don't know when to air-gap
If computers were people, I'd be a misanthrope.
Supposedly this is the capture of the hacked broadcast: http://www.youtube.com/watch?v=nc60XPCXrh8
The preceding line was intentionally left blank.
Nah, he did a community service by demonstrating the failure without starting a panic over a real possible event. No one should have believed it.. At least not anyone with half a BRAAAAAAAAAAIINSS!!!!
Do not look into laser with remaining eye.
On the contrary.
This is an obvious prank, and is unlikely to cause any harm, except to embarrass those who ought to be embarrassed. It would have been much more harmful to send an alert about a more believable disaster. Can you imagine the panic if the hoax had been about rising floodwater, or an incoming storm or hurricane?
This hack has the benefit of exposing a weakness before it could be maliciously exploited, in probably the only way that guarantees action will be taken. As we've seen, being a good white-hat and reporting the potential security is likely to result in you being prosecuted, and the fault being swept under the carpet.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Who the hell on this site supported Adam Lanza?
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
It's been a few years since I worked down there, but EAS always seemed like pretty primitive tech. One of the last remaining bastions of serial printer ports as I recall. It is (or was a few years ago) ugly, annoying, tended to chop the ends off of messages, and many of the weather service alerts either were for somewhere entirely remote from us, or were so garbled that they were incomprehensible.
I'm entirely unsurprised that it's easy to hack in to EAS.
Three Squirrels
This message did not originate from KRTV, and there is no emergency
those are some wily zombies
how many pairs of boxer shorts should you own?
Not cause any harm? It won't be so funny when the dead start rising from the grave and no one believes it because this guy cried wolf already! Thousands of people will disregard the warning and subsequently get their brains eaten! It won't seem so fun then!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Obviously someone with half a brain should have believed it. Who else ate the missing half?
Now when the REAL zombie apocalypse arrives, everyone will assume it's just another prank...
This is an obvious prank, and is unlikely to cause any harm, except to embarrass those who ought to be embarrassed.
I doubt that. If you are referring to the local officials who implemented the system or maintain it, then no, they have nothing to be embarrassed about. They didn't design the system, they just installed what was compatible with everyone else. Those who designed the system will probably not be overly embarrassed, either.
I doubt you're referring to the prankster, who certainly won't be embarrassed at all, even though such public displays should be embarrassing to him. It's like finding a mailing list and sending a bunch of spam to it to prove how insecure it is; annoying everyone on the list who can do nothing about it and really changing nothing.
The only likely result of this will be a confirmation in the minds of the public that hackers are nutcases who need to be put in jail for doing stupid things, not a sudden realization that hackers are here to save us from our mistakes.
And remember not to run up stairs to escape them, leaving you stranded on the roof like EVERY FUCKING MOVIE IN EXISTANCE.
If Debbie Harry is out dropping rhymes again then the world really is coming to an end...
Do not look into laser with remaining eye.
As we've seen, being a good white-hat and reporting the potential security is likely to result in you being prosecuted, and the fault being swept under the carpet.
I tried that. I reported to a school that they put social security number together with full name, address etc on a html page, made it accessible without logging in and they transferred it without any encryption. It looked it they made a page for each student and then emailed the student in question the URL to their "personal page". I ended up talking to some lady, who went "only criminals would detect such flaws. You must be a hacker. I'm calling the police right away". They didn't dare to keep the page up when I kept a cool head and said I would report it for privacy violation if they didn't remove it.
Two mysteries remains though: ... and lives...". I kind of knew that even before they decided to tell me.
1: why send a mail with a personal link to a page containing only stuff, which could be written in the mail
2: why send out "your daughter's name is.. and is born on
Oh and in case you wonder. Their "security" is that the personal URL contained a hash value. Nobody would be able to guess a hash value and get info on a stranger, right?
Hey, the CDC doesn't run zombie apocalypse drills for no reason
https://www.youtube.com/watch?v=I28e0IqIgPc -- KRTV out of Great Falls, Montana.
Later studies suggested the panic was less widespread than newspapers had indicated at the time. During this period, many newspaper publishers were concerned that radio, a new medium, would render them obsolete. In that time of yellow journalism, print journalists took the opportunity to suggest that radio was dangerous by embellishing the story of the panic that ensued
The parallels almost write themselves...
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
I think these gentle reminders about security are great and are part of the spirit of hacking.
Which would the USA rather have: (a) goofball hackers create a zombie panic, or (b) our next enemy uses a coordinated attack to create actual panic?
Reminds me of the infamous "War of the Worlds" broadcast by Orson Welles.
Futurist Traditionalism
Nobody would be able to guess a hash value and get info on a stranger, right?
Actually, yeah. That's pretty much the exact function of a properly constructed cryptographic hash function.
All they would have had to do was walk a little bit faster!
Break into a system meant for emergency use only and the hammer will come down.
Fine. But it should come down equally as hard, if not more so, on those who accepted public money to build a secure system and failed to do so. Anything else is scapegoating.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
All stations share their EAS infrastructure. The largest stations get their data direct; smaller stations get it from larger ones. All stations need to have at least two different data sources set up. It is actually a reasonably well set up topology, and it is tested on a very regular basis.
The FCC also imposes strict fines on anyone who fails a test; the base fine for a violation is $8,000 and is scaled up for repeat or blatant violations.
How the FCC handles fines in this case will be interesting. The EAS system is designed for speed and reliability, not for security; there is message validation built in to prevent unintentional activation, but a correctly-formatted bogus message inserted into the system will propogate as designed.
First the undead rise from their graves. Then the establishment covers it up. And it's not a coincidence that there are shortages and limits on ammo.
I'm an American. I love this country and the freedoms that we used to have.
I find nothing in that citation to indicate that Assange has been charged with any offence. On the contrary and to quote directly: "Assange has not yet been formally charged with any offence."
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
When the Zombies do come, there's no real point in fighting or running, eventually they will win.
http://en.wikipedia.org/wiki/Assange_v_Swedish_Prosecution_Authority
Assange fled Sweden rather than defend himself against the charges.
Hmmm
Except that is not correct, he did not flee, he left Sweden legally. It was only after he had left Sweden that the new prosecutor issued a new arrest warrant.
Being a good guy white-hat doesn't get you arrested. Not realizing the difference between telling someone "Hey your door is open" from the outside of their house and saying "Hey your door is open from in someone's bedroom" is what gets you arrested. Well that and the kind of self righteous attitude that makes "white hats" believe that if a vulnerability isn't fixed within a day of them having reported it they have the right to take down the system or reveal said vulnerability to the world. In other words, the fact that I have forgotten to lock my door doesn't give you the right to enter my house and if you do so, even to tell me that I've forgotten to lock my door you aren't a "good guy", not even if you have some of your stuff in my house.
Amazing that this got through to the front page of /. in the same week that it happened!
*Still* negative function...
Sounds like a test of the voting system the Republicans are planning to have in place for 2014. ;-)
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Most local TV stations are already air gapped.
Not the equipment. The air gap is usually between the ears of the anchor
He should have reported that Dihydrogen Monoxide has been detected in the city's water system. :-D
For the uninitiated (see http://dhmo.org/
Dihydrogen monoxide:
is called "hydroxyl acid", the substance is the major component of acid rain.
contributes to the "greenhouse effect".
may cause severe burns.
is fatal if inhaled.
contributes to the erosion of our natural landscape.
accelerates corrosion and rusting of many metals.
may cause electrical failures and decreased effectiveness of automobile brakes.
has been found in excised tumors of terminal cancer patients.
Despite the danger, dihydrogen monoxide is often used:
as an industrial solvent and coolant.
in nuclear power plants.
in the production of Styrofoam.
as a fire retardant.
in many forms of cruel animal research.
in the distribution of pesticides. Even after washing, produce remains contaminated by this chemical.
as an additive in certain "junk-foods" and other food products.
This hack is clearly an invocation of the Emergency Alert System. The EAS is a hierarchically-organized digital message propagation system that has no authentication scheme for the vast majority of the nodes that participate in the network. Since every moderately-sized licensed broadcast radio and TV station in the United States is required to participate in the network, that is a lot of attackable nodes.
The hierarchy is easy to exploit if you wish to spoof an alert on a specific station. All you need to know is the specific list of stations that your target listens to for alerts and a mobile radio transmitter that you can position relatively closely to your target's EAS receiving equipment. The list of "source" stations for your target is often public information, or can be deduced very easily. (Search for "<city> eas plan" in your favorite search engine.) The radio transmitter required is nothing more than a VHF two-way radio, which can often be a "modded" Amateur Radio which can transmit outside of the legal Amateur bands.
Step 4 (transmission) is extremely easy, even with low-powered equipment (250mW). Because of your proximity and the FM Capture Effect you will have no problem overpowering the real source station without adversely affecting or alerting anyone outside a 1/2 mile radius.
My guess is the attackers here did precisely this. They probably exploited this TV station by spoofing a local NOAA weather radio channel that the TV station was listening to for alerts.
They also don't take bathroom breaks, don't need time off. Health and safety laws don't apply to them, they're genuinely American (don't forget to bring geo-coded picture of your personal grave), if one or two get caught up in machinery or drop from scaffolding no-one will ask inconvenient questions, and they will work for a few pounds of squishy matter a day that should be easy enough to obtain.
Am I the only one who sees an opportunity here?