The warning from Mike Davis, a Principal Research Scientist at the firm IOActive, comes just days after unknown hackers compromised EAS systems at television stations in the U.S. and broadcast a bogus emergency alert claiming that the “dead were rising from their graves” and attacking people. Published reports say that at least four television stations were the victims of the hoax: WBKP and WNMU in Marquette, Michigan; KNME/KNDM in Albuquerque, New Mexico; and KRTV in Great Falls, Montana.
Davis says that he discovered and reported a number of critical vulnerabilities in a key component of the EAS system: multi-function hardware known as a CAP EAS or ENDEC device.Davis said he and a colleague downloaded and analyzed firmware for the dominant manufacturer of so-called CAP-EAS devices and found that the software was rife with critical, easily exploitable security vulnerabilities, including embedded passwords and remotely exploitable software vulnerabilities. Davis declined to name the vendor whose software he analyzed, but said he reported the issues to the Department of Homeland Security’s ICS-CERT. The hack of the devices used to broadcast the zombie warning sounds similar to the kinds of holes he just reported, he said."