It was, of course, a hoax – and there are no reports of public panic similar to that following the 1938 radio broadcast of The War of the Worlds. But few people are laughing: the hoax usurped the official emergency alert system (EAS).
Initial thoughts turned to weak passwords allowing the hacker access to the system. “The most obvious line of investigation,” suggested Graham Cluley in the Sophos NakedSecurity blog on Tuesday, “would be to examine if the alert service was only ‘protected’ by a default password that could have been widely known.” Indeed, at around the same time the FCC issued an urgent advisory to participating television stations: “EAS Participants must change all passwords on their CAP EAS equipment from default factory settings, including administrator and user accounts.”
Current thinking is that the problem goes beyond just passwords. Mike Davis, a security expert with IOActive, submitted a report to US-CERT detailing flaws in the ENDEC machines used by the EAS system a month before the incident. “Changing passwords is insufficient to prevent unauthorized remote login. There are still multiple undisclosed authentication bypasses,” he told Reuters via email. “I would recommend disconnecting them from the network until a fix is available.”
According to Kaspersky’s ThreatPost, the flaws that Davis unearthed allowed him to do exactly what Monday’s hacker did. “There is some really, really, terrible software on the other side of that box,” Davis said. “There are some known issues like authentication bypasses and what I would call back doors, although I don't know if they were meant that way. While I can't provide authenticated messages [from the EAS system itself], I can log into all of them and insert authenticated messages.”
The real worry is that malicious actors, rather than this mischievous actor, could craft a warning designed to create genuine panic; or could disrupt a real warning about a genuine emergency. “The problems that Davis found,” warns ThreatPost, “represent a serious weakness in the EAS system. Some of the ENDECs are networked together in a way that enables them to relay messages to one another, so an attacker who could compromise one could conceivably cause problems on others, as well.”