On Monday, attackers were able to get access to an ENDEC machine at a TV station in Great Falls, Mont., and send out a fake emergency alert that warned of an ongoing zombie apocalypse. Reports suggest that attackers also went after ENDECs at other TV stations, as well. It's not clear what bugs the attackers were exploiting in those machines, but Mike Davis, principal research scientist at security firm IOActive, said that he found some vulnerabilities in ENDECs made by popular manufacturers that could enable an attacker to do exactly what the Montana hackers did.
The problems lie in the firmware loaded on the ENDECs. These machines are designed to receive encoded messages from the EAS, decode and authenticate them and then broadcast them over the air. The system is designed to be automated and it has to sit on a network, rather than as a standalone box in a station. Many of these boxes are discoverable on the Internet, Davis said, which makes them available to attackers. Davis said that he spent a few hours one day looking at the firmware on these devices, as a sideline from another research project, and found a number of vulnerabilities, the most serious of which allowed him to log in remotely to an ENDEC and insert a message that would be broadcast over the EAS."
Link to Original Source