By Jim Finkle
(Reuters) - A hacker infiltration of the U.S. emergency broadcast system on TV stations in at least four states came down to the fact that the stations had failed to change factory default passwords, broadcasters said on Wednesday.
The Monday attacks, which broadcast bogus warnings that the United States was under attack by zombies, prompted the government to order television stations to change passwords on the equipment that connects them to the nation's Emergency Alert System, or EAS.
The FCC would not comment, but in an urgent advisory sent to television stations on Tuesday the agency said: "All EAS participants are required to take immediate action."
It instructed them to change passwords on equipment from all manufacturers, making sure that gear was secured behind firewalls and to also inspect systems to ensure that hackers had not queued "unauthorized alerts" for future transmission.
While a zombie hoax appeared to be somewhat innocuous, the fact that hackers could easily broadcast an emergency message showed that they might be able to wreak havoc with more alarming communications.
"It isn't what they said. It is the fact that they got into the system. They could have caused some real damage," said Karole White, president of the Michigan Association of Broadcasters.
Two stations were attacked in Michigan, in addition to several in California, Montana and New Mexico, according to White.
A male voice addressed viewers in a video posted on the Internet of the bogus warning broadcast from KRTV in Great Falls, Montana, a CBS affiliate: "Civil authorities in your area have reported that the bodies of the dead are rising from the grave and attacking the living." The voice warned not "to approach or apprehend these bodies as they are extremely dangerous."
Bill Robertson, vice president of privately held electronics manufacturer Monroe Electronics of Lyndonville, New York, told Reuters that equipment from his company had been compromised in at least some of the attacks after hackers gained access to their default passwords.
Monroe publishes the default passwords for its equipment in user manuals that can be accessed on its public website.
He said that the company is working to improve the security of its products and may update its software to force broadcasters to change default passwords.
"They were compromised because the front door was left open. It was just like saying 'Walk in the front door,'" he said.
Mike Davis, a hardware security expert with a firm known as IOActive Labs, told Reuters that he was able to use Google Inc's search engine to identify some 30 alert systems across the United States that he believed were vulnerable to attack as of Wednesday morning.
"Somebody could have delivered their message to a lot more systems," said Davis, who last month sent a detailed report about vulnerabilities in EAS equipment to the Department of Homeland Security's U.S. Computer Emergency Readiness Team, or US-CERT.
Officials with US-CERT could not be reached.
Federal Emergency Management Agency spokesman Dan Watson said the breach did not have any impact on the government's ability to activate the Emergency Alert System.
(Reporting by Jim Finkle; Editing by Lisa Shumaker)