This is not a test

SEVERAL MODELS OF Emergency Alert System decoders, used to break into TV and radio broadcasts to announce public safety warnings, have vulnerabilities that would allow hackers to hijack them and deliver fake messages to the public, according to an announcement by a security firm on Monday.

The vulnerabilities included a private root SSH key that was distributed in publicly available firmware images that would have allowed an attacker with SSH access to a device to log in with root privileges and issue fake alerts or disable the system.

IOActive principal research scientist Mike Davis uncovered the vulnerabilities in the application servers of two digital alerting systems known as DASDEC-I and DASDEC-II. The servers are responsible for receiving and authenticating emergency alert messages.

“These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package,” Davis said in a statement. “This key allows an attacker to remotely log on in over the Internet and can manipulate any system function.”

Davis indicated that to resolve the issue would require “re-engineering” of the digital alerting system side as well as firmware updates pushed out to appliances in the field.

A spokesman for Monroe Electronics, owner of the company that makes the DASDEC devices, says that the company stopped shipping the vulnerable systems in February and began issuing a firmware patch in April that eliminates the SSH key issue.

IOActive didn’t identify the other vulnerabilities in its announcement but did link to an advisory issued last month by the Cyber Emergency Response Team (CERT) that indicated vulnerabilities existed not only in DASDEC-I and DASDEC-II but also in Monroe Electronics systems known as R189 One-Net/R189SE One-NetSE.

These included default administrative passwords that customers were forgetting to change after installing the systems.

Earlier this year hackers used default credentials to break into the Emergency Alert System at local TV station KRTV in Montana to interrupt programming with an alert about a zombie apocalypse.


Interesting Reads