The zombie attack alert issued on US TV stations this week is more serious than a mischievous hacker prank, say cyber experts, who warn the incident exposes lax security practices in a critical public safety system.
While broadcasters said poor password security paved the way for the bogus warning, security experts said the equipment used by the Emergency Alert System remained vulnerable when stations allow it be accessed via the public internet.
The fear is that hackers could prevent the government from sending out public warnings during an emergency or attackers could conduct a more damaging hoax than a warning of a zombie apocalypse.
"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," said Karole White, president of the Michigan Association of Broadcasters.
Following the attacks on Monday, broadcasters were ordered to change the passwords for the EAS equipment.
The US Federal Communications Commission (FCC) would not comment on the attacks, but in an urgent advisory sent to television stations on Tuesday said: "All EAS participants are required to take immediate action."
It instructed them to change passwords on equipment from all manufacturers used to deliver emergency broadcasts. The FCC instructed them to ensure gear was properly secured behind firewalls and to inspect systems to ensure that hackers had not queued "unauthorised alerts" for future transmission.
The attacks come after warnings by government officials and outside security experts that the US is at risk of a cyber attack that could cause major physical damage or even cost lives. President Barack Obama told Congress on Tuesday that some hackers were looking for ways to attack the US power grid, banks and air traffic control systems.
White and her counterpart in Montana, Greg MacDonald, said they believed the hackers were able to get in because TV stations had not changed the default passwords they used when the equipment was first shipped from the manufacturer.
But Mike Davis, a hardware security expert with IOActive Labs, said hackers could still get past new passwords to remotely access the systems.
Davis said he had submitted a report to the Department of Homeland Security's US Computer Emergency Readiness Team, or US-CERT, about a month ago that detailed the security flaws.
"Changing passwords is insufficient to prevent unauthorised remote login. There are still multiple undisclosed authentication bypasses," he said. "I would recommend disconnecting them from the network until a fix is available."
Davis said he was able to use Google's search engine to identify 30 systems that he believed were vulnerable to attack as of Wednesday morning.
Privately held Monroe Electronics, whose equipment was compromised in Monday's attacks, said it was still evaluating the risks.
"The situation appears to just be the password stuff, but we are looking at anything else and everything that might come into play," said vice president Bill Robertson.
A spokesman for US-CERT said he could not immediately comment on the matter.
'Bodies are rising'
The zombie hackers targeted two stations in Michigan, and several in California, Montana and New Mexico, White said.
A male voice addressed viewers in a video posted on the internet of the bogus warning broadcast from KRTV, a CBS affiliate based in Great Falls, Montana: "Civil authorities in your area have reported that the bodies of the dead are rising from the grave and attacking the living."
The voice warned not "to approach or apprehend these bodies as they are extremely dangerous."
Stuart McClure, chief executive of cyber security firm Cylance, said he had investigated cases in which hackers accessed EAS systems via a different method: breaking into hidden accounts built into the systems by manufacturers so that service technicians can easily access them for repairs.
"You cannot give a separate pass code to everybody. Nobody is going to remember it. You have to share the secret," said McClure, who previously ran a unit at Intel's McAfee security division that investigated cyber attacks.
Electronics industry experts said it is tough for some broadcasters to follow all security guidelines because staff at small stations lack the expertise to do so.
The equipment that was compromised obtains emergency broadcasts by frequently using the internet to make outward calls to trusted government servers. When it finds an alert on one of those servers, it broadcasts it on that station.
Monroe Electronics said its gear is designed to let stations make outgoing queries, but still keep outsiders from getting in. It recommends against unsecured access to the internet. "It's the wild, wild West," said Robertson.
He said the equipment sometimes gets exposed to the open internet because it is not properly configured or because engineers want remote access when they are on call.
Robertson said the company was working to beef up security on the equipment and might update its software to compel customers to change default passwords.
US Federal Emergency Management Agency spokesman Dan Watson said the zombie breach did not have any impact on the government's ability to activate the Emergency Alert System.