Hackers could have a field day with the Emergency Alert System (EAS), thanks to vulnerabilities with equipment used to transmit the alerts, according to a new report.
According to Seattle-based IOActive, the systems that intercept emergency messages from federal officials and then interrupt regular broadcasts to transmit the message - known as DASDEC - are susceptible to cyber attacks.
"These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package," Mike Davis, principal research scientist for IOActive, said in a statement. "This key allows an attacker to remotely log on in over the Internet and can manipulate any system function."
Hackers might disrupt a station's ability to transmit in order to broadcast their own, false message, according to Davis, who said "re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances."
The DASDEC systems are produced by New York-based Monroe Electronics. In April, Monroe released a software update for the DASDEC messaging system that it said resolved "potential security vulnerabilities and improve[d] several operational features" for the EAS.
That included the removal of default SSH keys, a simplified way for the user to load new SSH keys, and changes to password handling, among other things.
Monroe did not immediately respond to a request for comment, nor did the Federal Emergency Management Agency (FEMA), which handles oversight of the EAS.
But in a July 2 notice, the Homeland Security Department, which governs FEMA, addressed the IOActive report.
"IOActive reports that the administrative web server uses a predictable, monotonically increasing session ID," DHS said. "This finding is based on running the web server in a test environment. Testing on a variety of firmware versions on devices both at the factory and in the field, Monroe Electronics could not reproduce this finding."
Still, DHS did acknowledge vulnerabilities within the EAS. To fix the issue, the agency pushed for an update, which was rolled out April, but also encouraged users to: disable the compromised SSH key; manually inspect SSH keys; restrict access; and change default passwords.
According to IOActive, "each EAS participant needs to upgrade any Monroe hardware they're currently using. To the best of my knowledge there is still a significant number of vulnerable systems on the Internet that have not patched this issue. Additionally, many EAS systems run in a peer-to-peer network so even partial patching of the issue may still result in widespread fictitious EAS alerts."
IOActive's report comes several months after hackers breached a Montana TV station's emergency alert system, and sent out a bogus warning about zombie attacks. "Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living," the message told viewers.
The zombie hackers reportedly struck in Michigan and New Mexico, too.
The EAS is used by broadcast, cable, satellite, and wireline providers and allows for quick alerts during an emergency. The first-ever nationwide EAS test was conducted in Nov. 2011 with a 30-second interruption of almost every radio and TV broadcast in the nation.
0 comments:
Post a Comment