Feb 13 A hacker infiltration of the U.S.
emergency broadcast system on TV stations in at least four
states came down to the fact that the stations had failed to
change factory default passwords, broadcasters said on
The Monday attacks, which broadcast bogus warnings that the
United States was under attack by zombies, prompted the
government to order television stations to change passwords on
the equipment that connects them to the nation's Emergency Alert
System, or EAS.
The FCC would not comment, but in an urgent advisory sent to
television stations on Tuesday the agency said: "All EAS
participants are required to take immediate action."
It instructed them to change passwords on equipment from all
manufacturers, making sure that gear was secured behind
firewalls and to also inspect systems to ensure that hackers had
not queued "unauthorized alerts" for future transmission.
While a zombie hoax appeared to be somewhat innocuous, the
fact that hackers could easily broadcast an emergency message
showed that they might be able to wreak havoc with more alarming
"It isn't what they said. It is the fact that they got into
the system. They could have caused some real damage," said
Karole White, president of the Michigan Association of
Two stations were attacked in Michigan, in addition to
several in California, Montana and New Mexico, according to
A male voice addressed viewers in a video posted on the
Internet of the bogus warning broadcast from KRTV in Great
Falls, Montana, a CBS affiliate: "Civil authorities in your area
have reported that the bodies of the dead are rising from the
grave and attacking the living." The voice warned not "to
approach or apprehend these bodies as they are extremely
Bill Robertson, vice president of privately held electronics
manufacturer Monroe Electronics of Lyndonville, New York, told
Reuters that equipment from his company had been compromised in
at least some of the attacks after hackers gained access to
their default passwords.
Monroe publishes the default passwords for its equipment in
user manuals that can be accessed on its public website.
He said that the company is working to improve the security
of its products and may update its software to force
broadcasters to change default passwords.
"They were compromised because the front door was left open.
It was just like saying 'Walk in the front door,'" he said.
Mike Davis, a hardware security expert with a firm known as
IOActive Labs, told Reuters that he was able to use Google Inc's
search engine to identify some 30 alert systems across
the United States that he believed were vulnerable to attack as
of Wednesday morning.
"Somebody could have delivered their message to a lot more
systems," said Davis, who last month sent a detailed report
about vulnerabilities in EAS equipment to the Department of
Homeland Security's U.S. Computer Emergency Readiness Team, or
Officials with US-CERT could not be reached.
Federal Emergency Management Agency spokesman Dan Watson
said the breach did not have any impact on the government's
ability to activate the Emergency Alert System.