Authorities have reportedly identified the hacker responsible for this week's zombie hoax in Montana and three other states, while TV stations have found an explanation for how it happened — weak passwords.
The suspect, whose name has not yet been released, hacked into the Emergency Alert Systems (EAS) at Montana affiliate KRTV on Monday, allowing him to broadcast a seemingly authentic warning about an impending zombie attack. It was later discovered that the hoax affected several other stations across California, Michigan, and New Mexico.
On Wednesday, the affected broadcasters admitted that they had never changed the default passwords to their alert systems, which made it easier for the hacker to gain "back door" access. The FCC has yet to comment on the breach, but the Commission issued an urgent advisory on Tuesday, ordering all stations to "take immediate action" in response to Monday's hack.
"They could have caused some real damage."
"It has been determined that a ‘back door’ attack allowed the hacker to access the security of the EAS equipment," Cynthia Thompson, station manager for Michigan's ABC 10 affiliate, wrote in a blog post yesterday."The nature of the message Monday night was not necessarily dangerous, but the fact that the system was vulnerable to outside intrusion is a danger."
It's a sentiment that has been echoed by security experts and broadcasters alike — the zombie hoax itself may not have been serious, but the stations' lax security could have caused widespread panic if hackers exploited it to announce fake terrorist attacks or more serious threats. "It isn't what they said. It is the fact that they got into the system," Karole White, president of the Michigan Association of Broadcasters, told Reuters. "They could have caused some real damage."
Security firms, meanwhile, have already conducted closer analyses of the breach. Consultancy IOActive told ComputerWorld this week that at least two types of EAS devices are particularly susceptible to hacks, potentially rendering many TV and radio stations vulnerable to similar hoaxes. The company didn't identify the specific devices or their vendors, though it did say that it's working with authorities to make them more secure.