Zombie Attack Warnings Broadcast After Emergency Alert System Hack

NEWS ANALYSIS: The Emergency Alert System broadcast warnings of zombie attacks in Montana, Michigan and New Mexico on Feb. 11 after hacks of the computers that control the system, according to the Federal Emergency Management Agency.

The emergency alert systems that were affected are all connected by an Internet-based emergency communications network. Previously, emergency alert messages used a private landline network. A number of sources report that hackers have been using botnets to attempt to break into the emergency alert systems of broadcasting stations. The EAS system is normally used for weather emergencies, disasters and Amber alerts. It can also be used by the President to make a simultaneous announcement to everyone in the U.S.

By now anyone who regularly reads this column is likely aware that I’ve written about failures in securing the critical infrastructure of the U.S and the federal government’s seeming inability to do anything about it. While the EAS isn’t specifically part of the critical infrastructure, it’s still critically important. The EAS is in fact the only way available to send emergency alerts to people in entire regions or throughout the U.S. But that only works when the system retains its integrity and when people believe what it says.

While an emergency alert of a zombie attack is good for a few laughs and probably wasn’t taken seriously by most people, it’s still another step toward eroding the integrity of the EAS. While it didn’t originate from the part of the system controlled by the U.S. Department of Homeland Security, but rather from individual stations, the people who hear the alerts don’t know that. To them it initially sounded like a real emergency.

Unfortunately, these problems are exacerbated by the fact that there are a lot of places where Internet connected computers are installed and maintained by people who are not IT professionals. These people, like the broadcast engineers who installed the EAS computers, really don’t know much about security nor do they understand how to protect the part of the national infrastructure with which they’re entrusted.

Clearly better training would be a help, but it’s not a quick solution. Perhaps a better idea might be to adopt a practice that Cisco has been following for some time now with its Internet facing consumer products—default user names and passwords that are not standardized. If you’ve installed a Linksys router in the last few years, you’ll have noticed that the SSID (Service Set Identification) and passwords are made up and in the case of passwords are not something you’d find in a dictionary. What’s more, every router is different.

Adopting such a process would cost manufacturers of Internet or public-facing equipment a little more because they’d have to revise their procedures. But it would add a lot of security to products that run in a world where people aren’t trained to be IT managers. The minor costs involved would be more than offset by not having to worry about reports of bogus zombie attacks.