[EAS] [BC] EAS Zombie Attack

Barry Mishkind barry at oldradio.com
Wed Feb 13 13:06:34 CST 2013 

At 10:59 AM 2/13/2013, Dave Kline wrote:
>I am posting this to the three reflectors that I monitor about EAS stuff.
>I hope that is OK with everyone.
>
>With the start of the whole Zombie EAS incident, I have been reading a lot of people's suggestions about what to do to beef up security.
>I admittedly do not know a lot about this stuff. (Root Admin? vs GUI admin?) (Roots vs Shoots?) and a lot of other deep knowledge buzzwords.
>The point being that if someone has solutions to some of this, could you share what you are doing rather than just say you're doing it.

        Dave, 
        I hear your pain. The flood of emails over the past two days
        has been quite difficult to parse - and segregate the good
        information from the speculation and rumors.

        That is why I've been trying to keep the EAS Page at 
        the BDR updated: www.theBDR.net/articles/fcc/eas/eas.html
        (It also keeps me from having to retype all this over and over.)

        For the overwhelming vast majority of stations, there is *no need* to panic.

        The investigation into the event continues - and more is known,
        but the focus is often on the wrong place.

        First - the event was not an EAS box "hack"  ... all of the
        EAS boxes that were used in the zombie alerts were
        either sitting naked on the Internet - no firewall - or
        an improperly provisioned firewall.

        The intruder was only able to access the EAS system
        (it appears that was their intent - no other parts of
        any station's network appears compromised such as 
        transmitter remote control, console control, etc), because:
        1. There was no effective firewall at the station
        2. The original default password was still in place, 
                despite manufacturers' instructions to change them.  
                (Other instructions are to change them regularly.)

        Among the reasons the broadcast community got very 
        anxious yesterday was that:
        1. The attacks followed an 11 hour outage of the IPAWS OPEN server
        2. The attacks followed a threat by "Anonymous" to disrupt the President's speech on the Internet
        3. The late in the day advisory from the FCC
        4. The obvious issues if the EAS is easily attacked, especially at stations that automatically relay CEM or LAE.

        According to information I have developed quite a few agencies - those with
        letters - are investigating various aspects of what happened.
        More information will come out, in due course.

        Key point:  It is not only EAS, but your whole company that should
        be protected by an appropriate firewall.  This is especially
        true for LP1 and LP2 sites, that could cause a casade of
        false alerts.  This is not something "end of the line" stations can do,
        but should be an SECC and LECC topic - and *certainly* will be 
        an FCC and FEMA topic in upcoming weeks.

        While it is true that we went some 16 years with little in the
        way of EAS pranks like this, we are in a different time, a different
        world, so to speak.  It is time to be careful. Most are.

        Again, it appears this was a targeted attack - otherwise why 
        was nothing else at these stations attacked?

        So ... ratchet the alert level down a bit. More information will
        come out.  I specifically plan some direct firewall information
        in the next few days on the BDR.

        Stay tuned.

More information about the EAS mailing list