2013 Emergency Alert System hijackings

On February 11, 2013, the Emergency Alert System of five different television stations across the U.S. states of Montana, Michigan, Wisconsin, and New Mexico were hijacked, interrupting each television broadcast with a Local area emergency message warning viewers of a zombie apocalypse. The message was subsequently declared as a hoax by local authorities and was reported to be a result of hackers gaining access to the Emergency Alert System equipment of various television stations.

The first incident took place in Great Falls, Montana, during an afternoon airing of The Steve Wilkos Show on CBS affiliate television station KRTV. The television signal was abruptly interrupted by an audible Local area emergency alert reading "Local authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living". Later the same day the stations of CBS affiliate WKBT-DT, ABC affiliate WBUP, and PBS member station WNMU in Marquette, Michigan, and La Crosse, Wisconsin, respectively, had their Emergency Alert System hijacked, transmitting a similar "Zombie Apocalypse" alert during their primetime programming hours. Not long afterwards, the television broadcasts of PBS affiliate KENW in Portales, New Mexico were also interrupted by the false alert. The hijackers were later apprehended by authorities shortly after the incident.

Just two days after the initial hijackings on February 13, 2013, a morning show on WIZM-FM in La Crosse aired an audio recording from the hoax alert, which triggered WKBT-DT's Emergency Alert System once more, relaying the message over the television station's broadcast signals. On February 28, 2017, radio station WZZY in Winchester, Indiana, had their emergency alert equipment hijacked in an almost identical manner using the same "zombie apocalypse" hoax audio message as the one used in the incidents in 2013.

CBS, ABC, and PBS hardware engineers who investigated the initial incidents reported that the hijackers likely gained access to the Emergency Alert Systems through a variety of weaknesses in the various station's emergency alert equipment, including a vulnerability in the machine's authentication bypass security and the usage of default passwords that were listed on online user manuals.

Hijackings
All five emergency alert hijackings took place on February 11, 2013, in Great Falls, Montana, Marquette, Michigan, La Crosse, Wisconsin, and Portales, New Mexico. The hijackings primarily compromised the television stations of KRTV, WKBT-DT, WBUP, WNMU, and KENW; however, the incident also led to stations ABC10 and its sister station CW 5 to disconnect their networks from the EAS system to prevent further intrusions. WKBT-DT was also struck again with the same hoax alert only two days after the initial incidents after a morning show on WIZM-FM triggered WKBT's Emergency Alert System. In February 2017, radio station WZZY in Randolph County, Indiana, was also hijacked with an identical "zombie apocalypse" EAS alert as the ones in 2013.

KRTV
On the afternoon of February 11, 2013, at approximately 2:30 to 2:33 pm MST, an airing of The Steve Wilkos Show on KRTV's channels 1 and 2 was suddenly interrupted by a false Local area emergency alert transmitted by KRTV's Emergency Alert System after the system was hijacked via access to the television stations emergency alert equipment. Following the signal interruption, viewers were met with an audible message that read:   "'Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages on-screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous. I repeat: civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages on-screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous. This warning applies to all areas receiving this broadcast. Tune into 920 AM to get updated information in the event that you are separated from your television or that the electrical service is interrupted. Civil authorites in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages on screen that will be updated as information becomes available. This station will now cease transmission, so please use your battery powered radio and tune into 920 AM for further information.'" The Emergency Area Alert warned viewers of "bodies from the dead" in the areas surrounding Powell, Broadwater, Jefferson, and Lewis & Clark counties. Not long after the broadcast was transmitted, local authorities declared the alert as a hoax. The audio was later discovered to have been taken directly from a 2008 YouTube video titled "Zombie Emergency Alert System Warning (EAS)". The first sentence of the audio was also used in an Anthrax song, Fight 'Em 'Til You Can't.

WKBT-DT, WBUP, WNMU
The second hijacking took place in Marquette, Michigan, and La Crosse, Wisconsin, when the Emergency Alert System for the television stations of WKBT-DT in La Crosse, and WBUP and WNMU in Marquette at approximately 3:55 pm MST, were hacked, interrupting the television broadcasts with the same "zombie apocalypse" alert as before. The signal interruption occurred during WNMU's and WBUP's primetime afternoon broadcasting of Barney & Friends and The Bachelor.

KENW
The final hijacking took place in Portales, New Mexico, at 5:35 pm MST, when television station KENW's Emergency Alert System was also hijacked, interrupting its television broadcasts with the same false emergency alert as the previous two incidents. The hackers were reportedly found by authorities shortly after the hijacking; however, further information on the perpetrators of the hijackings was never released.

Similar incidents
A similar incident involving the "zombie apocalypse" EAS hijacking took place during a morning talk show broadcast by WIZM-FM in La Crosse, when the hosts of the show, who were reacting with laughter to the hoax, played the audio recording from the alert. However, producers of the show failed to edit out the Specific Area Message Encoding (SAME) tones used in the alert, which led to the triggering WKBT-DT's Emergency Alert System. As a result, WKBT-DT's emergency alert equipment relayed the message from the hoax over the stations regular programming.

The FCC has since strongly prohibited the usage of actual or simulated EAS/WEA and SAME tones outside of genuine emergency alerts to protect the integrity of the system and to prevent signal relay incidents like the one in 2013. Any broadcasters that use the tones outside of a real emergency may be heavily fined or sanctioned.

On February 28, 2017, radio station WZZY, 98.3, in Randolph County, Indiana aired the same "bodies rising from the dead" false alert message from 2013 after their SAGE ENDEC EAS equipment was hijacked. The incident prompted the Randolph County Sheriff's Department to make a public announcement clarifying that WZZY's emergency alert equipment had been hacked and that no emergency was present.

Methods
There are numerous methods hackers will use to hijack the Emergency Alert System; however, the likely method used by the hijackers of the "zombie apocalypse" hoax, as reported by authorities and the television station engineers, was that the hackers were able to gain access to the emergency alert equipment via default system passwords that were listed in public user manuals. This would have came as a result of television station broadcasters neglecting to change the factory default logins and passwords on their equipment.

Government response
A failure to prevent access into emergency alert equipment by broadcasters has been the subject to most of cybersecurity breaches of the Emergency Alert System. As a result, the federal government has made numerous statements to television broadcasters that a neglection to investigate unpatched software vulnerabilities and failure to implement secure passwords for EAS machines will lead to a massive failure in equipment security and a major cybersecurity breach such as the one in 2013.

The Federal Emergency Management Agency (FEMA) has also stated to television broadcasters of certain vulnerabilities in EAS encoders/decoders that, if not updated, could allow outside sources to gain access to various television station's EAS equipment and broadcast emergency messages over regular programming.

Aftermath and investigation
Following the hijacking incidents, both the FCC and the FEMA urged the broadcasters involved in the incidents to reset their passwords and recheck security measures. Trade groups, including the Michigan Association of Broadcasters, also requested that its partnered television stations, including WBUP and WNMU in Michigan, to update any unpatched security vulnerabilities of their emergency alert devices.

Investigations into the hijackings occurred via both local and federal authorities, with possible investigations partaken by the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC), who initially detected that the hijackings came from an overseas source. The hackers involved in hijackings were reportedly caught and arrested; however, any further information on the perpetrators' identities or charge remain unknown.

Shortly after the hijackings occurred, the Great Falls Police Department announced to the Great Falls Tribune that the alert was a hoax and there was no danger in the areas surrounding Great Falls. Similarly, almost immediately after the false emergency message aired, KRTV announced on air: "This message did not originate from KRTV, and there is no emergency".

Following the hijacking incident in February 2017, the Randolph County Sheriff's Department made a public statement announcing that the emergency alert was a false alarm and a hoax, after its local radio station, WZZY, was hacked with the same false emergency message.