Lake Worth ‘zombie’ entered in city email
Hacker’s power-outage prank raises cybersecurity alarms.
LAKE WORTH — To atone for their infamous zombie alert heard ’round the world, city officials are issuing a new one. And this time it’s for real.
In what they hope will be an amusing spectacle of self-parody, electric utility crews will park a bucket truck inside a makeshift zombie quarantine zone at the downtown Cultural Plaza on Oct. 26 for the city’s annual Halloween party for kids.
“It’s just our way of poking fun at ourselves,” said city spokesman Ben Kerr, referring to the May 20 power outage that the city’s hacked notification system blamed on “extreme zombie activity,” inspiring jokes on late-night television and headlines from as far away as Australia.
The hoax also attracted dead-serious inquiries from the FBI and Federal Communications Commission about how the system was hacked. Nearly five months later, exactly who was responsible remains a mystery.
But one cybersecurity expert has a pretty good idea about what probably happened: A computer-savvy male in his teens or 20s pulled off what is known as a “notoriety hack” aimed not at doing any harm but at securing laughs and bragging rights among hackers.
“My guess is there is some smart teen in your neck of the woods who is having a heyday claiming credit for this among the hacking community on the dark web,” said James Norrie, dean of the Graham School of Business at York College of Pennsylvania.
“The unfortunate part is that this exposes a weakness in your utility,” he added. “The mere fact that someone could get into the system is a wake-up call. What if you had a real pro that really wanted to do some damage?”
Earlier this week, the city was dealing with another “potential breach” related to its utility system. On Tuesday, the city warned utility customers who pay their bills online that their credit card information might have been breached over the past six weeks.
The vendor who manages the city’s online transactions is investigating and “steps have been taken to neutralize any further potential breach through the vendor’s system,” the city said.
Whoever created the zombie alert “used a city email” address to gain access to the notification alert system, Darrell Lopez, chief executive officer for Public Telephone Company of America, told The Palm Beach Post. Lopez’s Orlando-based company designed and built the city’s Power Tracker system in 2014.
Asked how he was so certain that the hacker had a Lake Worth city government email address, Lopez told a Palm Beach Post reporter last week before hanging up: “Because we traced it, and that’s all I’m saying.”
That was news to Lake Worth utility officials, who wondered why Lopez never shared that conclusion with them. In May, just two days after the “zombie alert” went out, Kerr told media outlets that “no staff member was found to be involved and no one has been fired for it.”
But even if the hacker had a city email address, that doesn’t necessarily mean a city employee is responsible.
It’s possible that someone gained access through a “phishing attack,” an email aimed at tricking someone — in this case a Lake Worth city employee — into believing the message is something they need, such as request from a bank or a colleague, said Dr. Steven Andres, who teaches management information systems at San Diego State University.
“It could also be a disgruntled employee,” Andres said. “It’s hard to tell.”
Norrie said, “It’s very likely to be somebody who has an insider’s access or someone who corrupted an insider.”
The zombie alert actually was sent out in two separate outages, during Hurricane Irma in September 2017 and on May 20, but city officials erased the first one before it was viewed by the public.
PTC charges the city $2,000 a month for the Outage Notification System, which includes automatic messages and emails and voice recordings that offer explanations and updates when the power goes out.
Also referred to as the Lake Worth Power Tracker, the system is not connected to the city’s power grid.
The hack only affected a handful of pre-written messages that appeared on the system’s online overlap map of the city, which has nearly 900 different sections or “layers.”
The messages are written by Lake Worth electric utility employees, but they also can be accessed and edited by PTC employees, said Jason Bailey, assistant director of system operations for the electric utility.
‘Walking Dead’ link
When the power goes out, the map highlights the affected areas with small red boxes. By clicking on one of the boxes, customers can read brief pop-up messages with explanations and updates.
When the system works as it should, a map message might look like this: “POWER OUTAGE 200 AND 300 BLOCK OF FORDHAM AND DARTMOUTH DRIVE AND THE 2200 BLOCK OF NORTH FEDERAL HIGHWAY 34 CUSTOMERS AFFECTED RESTORATION TIME 3 HOURS.”
On Sept. 9, 2017, as Hurricane Irma made landfall in South Florida, Kerr was monitoring the scattered power outages on electronic maps in the city’s Emergency Operations Center when he noticed this message:
“POWER OUTAGE AND ZOMBIE ALERT FOR RESIDENTS OF LAKE WORTH AND TERMINUS. THERE ARE NOW FAR LESS THAN SEVEN THOUSAND THREE HUNDRED AND EIGHTY CUSTOMERS INVOLVED DUE TO EXTREME ZOMBIE ACTIVITY. ...”
Staring at the message, Kerr wondered if he was hallucinating from exhaustion. He alerted electric utility officials a few miles away.
“I looked at it and I’m like, ‘holy crap!’ – the exact words that came out of my mouth,” recalled Walt Gill, assistant electric utility director.
The fake alert provided a clue about the person who wrote it: That person most likely watches “The Walking Dead,” an AMC hit show about a zombie apocalypse. “Terminus” is a fictional town featured in the show’s fourth season, which premiered in 2013 and concluded on March 30, 2014, around the same time PTC installed the city’s system.
City workers promptly erased the fake message, which apparently went unnoticed by the public. (With Irma’s outer bands raging, customers likely didn’t need to consult the Power Tracker map for an explanation of why the power went out.)
As a precaution, PTC changed the web address and the user account passwords on Sept. 10, 2017.
And city officials, not knowing if the zombie alert was the work of a mischievous kid or someone with more sinister motives, alerted the FBI.
After power was restored in the days after the hurricane, PTC technicians worked with Bailey’s staff to review nearly 3,000 pre-written messages in the system to make sure they had killed off any other “zombie alerts.”
“They thought they had captured every single one,” Gill said.
But eight months later, it happened again. And this time, during a 37-minute outage that affected 7,880 customers at 1:45 a.m. on May 20, the public saw it.
“Normally during a power outage, they’re not happy. But this was different,” Kerr recalled.
In an email thread among utility workers trying to troubleshoot the hoax, Kerr wrote on May 21: “I should let you know that the public absolutely loved it. It is the most positive response to an outage I have ever seen. In one resident’s words, ‘If this guy gets fired, we MUST rebel! This person deserves a medal!’...”
Emails and calls started pouring in from media outlets, which produced headlines like “Zombie alerts issued in Lake Worth” and “More power to zombies.”
Kerr, who spent the next two days talking to amused reporters, said he sensed enthusiasm about the gaffe and tried not to “come across as too serious” in his comments.
“Staff has scrubbed the system of all these messages, and we should not have any more zombie alerts going out, at least until the actual zombie invasion,” he told a local TV station.
Jokes — and gripes
The errant alert wound up in Jimmy Fallon’s monologue on “The Tonight Show” and blossomed into a source of friendly ribbing in emails to city employees.
“I hope all is well and you are not too busy fighting zombies,” an architect wrote to Assistant City Manager Juan Ruiz.
“If you need any help, me and Mark have watched a lot of Walking Dead and wouldn’t mind testing out our zombie skills,” a subcontractor wrote to utility worker Michael Jenkins.
“How do I mark myself safe after a disaster? Family and friends have been reaching out after the zombie attack,” one resident asked on Facebook.
Not everyone was amused, especially longtime residents who for decades have endured problems from the city’s aging power grid, including sporadic blackouts during calm weather.
“This zombie attack message made national news and was embarrassing as a resident. It shows how the city of Lake Worth does not treat its services seriously and does not care about its customers,” Joseph Yanni wrote in an email to a city official.
The fake zombie alert wasn’t the only strange occurrence with the city’s utility this year. In April, a transformer at the main substation exploded without warning, causing a citywide blackout and prompting an investigation that is still open into whether someone fired a weapon at the device.
But the majority of zombie reaction was light and fun, inspiring breathless suggestions for 5K zombie runs, zombie pub crawls, “I survived the Lake Worth zombie alert” T shirts and billboards pitching Lake Worth as friendly to zombies.
When Kerr flew to his native Scotland later that week to get married, he arrived in Glasgow to jokes from wedding guests who had read his name in news outlets in the United Kingdom.
When he returned to Lake Worth in early June, “My phone was so full it couldn’t take any more messages. My email server took forever to start up,” he said.
Some of the voice messages were left by agents from the FBI and FCC.
“When we hear about zombie alerts, we need to do some follow-up because the Emergency Alert System has been hacked a couple of times,” said Greg Cooke of the FCC’s Public Safety and Homeland Security bureau.
In February 2013, people in California, Michigan, Montana and New Mexico heard warnings about attacking zombies on TV stations because of an EAS hack.
“Local authorities in your area have reported the bodies of the dead are rising from their graves and attacking the living,” an ominous voice warned in a message heard during a Michigan station’s airing of an episode of the children’s show “Barney and Friends.”
The Lake Worth hack didn’t affect the federal alert system, so the FCC and FBI never launched full investigations.
With help from PTC, electric utility workers found five zombie alerts in the city’s Power Tracker system. They also determined that the five alerts, which have been erased, had most likely been in the system when the first zombie alert was discovered in September 2017.
The zombie furor eventually died down, but Kerr recalled an appearance he made this summer at a neighborhood meeting to offer updates about city projects. He mentioned the fake zombie alert.
“There were two teenagers, like 16-year-old kids, in the audience. I thought they were there with their parents,” he recalled. When Kerr left, he found the kids “waiting outside my car. They were real shy but they asked to get a selfie with me because of the zombie thing,” he said with a laugh.
When a reporter told Norrie about Kerr’s encounter with the two teens, the cybersecurity expert laughed and wondered if they were the zombie hackers seeking a trophy.
With Halloween approaching, city officials figured they might as well have fun with zombies — and poke fun at themselves at the annual Halloween party. Mayor Pam Triolo got into the spirit and has asked city staff to convert a photograph of herself into a zombie as part of the party decorations.
“I told our staff they could invite the walking dead to be honorary guests. I’d even give them the key to the city,” she said, adding, “We like to make lemonade out of our lemons.”
While the two cybersecurity experts agreed the zombie episode was amusing, they said Lake Worth officials would be wise to take a hard look at making sure they’re doing everything they can to prevent a potentially more serious attack.
If not, “then maybe the real zombies are at City Hall,” Norrie said.
“This was a wonderfully innocent warning. Now the only question is: What do you do to learn from this?”
The systems operations room at Lake Worth’s main power-generation facility. City officials were monitoring maps in this room in September 2017 when they noticed the first of two “zombie alerts” on the Outage Notification System in the city’s Power Tracker setup.
This “zombie alert” went out May 20 to Lake Worth residents. The hacker was apparently a fan of AMC’s “The Walking Dead.”