In the case of an actual emergency, your regularly scheduled TV or radio shows would be interrupted by a screeching tone before broadcasting a “this is not a test” warning. So file this one—about vulnerabilities to remotely hijack the Emergency Alert System (EAS)—under, “Oops, we didn’t mean to open the door for nationwide War of the Worlds panic.” That door didn’t open (yet), but the key is in the lock, just waiting for an attacker to remotely take over, break into TV and radio shows, and broadcast bogus emergency warnings to the public.
Before such a warning was issued, application servers would receive, decode, and authenticate the emergency alert. The vulnerabilities in DASDEC‑I and DASDEC-II appliances from Digital Alert Systems, a division of Monroe Electronics, included accidentally shipping “the root privileged SSH key as part of a firmware update package.”
“This key allows an attacker to remotely log on in over the Internet and can manipulate any system function,” explained Mike Davis, principal research scientist for IOActive. “For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”
Security researchers with IOActive have been sitting on the flaws, quietly waiting for CERT to contact the vendor, which then produced a patch for the vulnerability. In April, Monroe Electronics issued a firmware update to version 2.0-2 [pdf] for DASDEC and One-Net alert messaging systems. DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory on July 3 about the compromised root SSH key in the DASDEC encoder/decoder devices. ICS-CERT warned, “An attacker with a moderate skill level could exploit this vulnerability.” On July 8, having waited after discovering the hole, IOActive announced the vulnerabilities in the U.S. EAS.
“An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area,” states IOActive’s vulnerability notice [pdf]. “In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems.”
FEMA also has a wireless alert system that can automatically send the shrieking emergency alert sound to mobile phones before sending mass text messages to those phones in an affected area. Damon Penn of FEMA told NBC, "The alert is designed to be a bell-ringer. It is designed to tell you that there is something going on and then you need to take action." Let's hope we don't receive a phony and freaky text about zombies attacking.
Back in 2011, FEMA was not amused when there was talk about hacking FEMA's EAS to hijack all radio and TV stations in the US. The agency responded that EAS “already has adequate safety and security measures in place to ensure that it will only be used by appropriate officials as a way to communicate with the American people in the event of a real emergency.”
But in February 2013, a Montana TV station broadcast an emergency alert warning about the zombie apocalypse. A hacker hijacked the system before sending the emergency alert: “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages on screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”
“We were hacked and we’re not proud of it.” Duane Ryan, director of programming at KENW in Portales, New Mexico, admitted the station had failed to change the vendor's default username and password on its EAS computers. “We’ve changed them now.”
Carnegie Mellon University (CMU) Software Engineering Institute (SEI) CERT Program first issued a vulnerability note about the EAS devices, including a reminder to change the default password. Believe it or not, using the factory-default password is a big problem for our nation’s critical infrastructure systems connected online. So much so that both US-CERT and ICS-CERT recently warned that changing the manufacturer’s default password is “imperative,” since brute force cyberattacks against critical infrastructure, especially the energy sector, are increasing.
ICS-CERT wrote, "DASDEC users can obtain the DASDEC v2.0-2 software update and release notes by contacting firstname.lastname@example.org."