Emergency alertsU.S. Emergency Alerting System (EAS) vulnerable to hacking

Security specialist IOActive, Inc. announced it has discovered vulnerabilities in the U.S. Emergency Alerting System (EAS) which is widely used by TV and radio stations across the United States.

IOActive’s principal research scientist, Mike Davis, uncovered the vulnerabilities in the digital alerting systems — DASDEC — application servers. The DASDEC receives and authenticates EAS messages.

Once a station receives and authenticates the message, the DASDEC interrupts the broadcast and overlays the message onto the broadcast with the alert tone containing some information about the event. The affected devices are the DASDEC-I and DASDEC-II appliances.

“Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network’s regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,” said Mike Davis, principal research scientist for IOActive. “These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”

The DASDEC systems are produced by New York-based Monroe Electronics. PC Mag reports that in April, Monroe released a software update for the DASDEC messaging system that it said resolved “potential security vulnerabilities and improve[d] several operational features” for the EAS.

This included the removal of default SSH keys, a simplified way for the user to load new SSH keys, and changes to password handling, among other things.

Davis said that “each EAS participant needs to upgrade any Monroe hardware they’re currently using. To the best of my knowledge there is still a significant number of vulnerable systems on the Internet that have not patched this issue. Additionally, many EAS systems run in a peer-to-peer network so even partial patching of the issue may still result in widespread fictitious EAS alerts.”

According to Monroe, however, “the very large majority of customers have already obtained this software update.”

“There have been no reports of any incidents whatsoever relating to SSH keys, and we issued this security update as a precautionary measure,” a Monroe spokesman said. “Importantly, equipment such of this should always be used in conjunction with network security measures — such as firewalls. The concerns raised by CERT could become potential vulnerabilities only where basic network security practices are not followed, such as using firewalls and other measures to secure network connections.”

Dan Watson, a spokesman for the Federal Emergency Management Agency (FEMA), which handles oversight of the EAS, told PC Mag that the glitch was fixed via the Monroe update. He also pointed to a 2 July notice from DHS, which addressed the IOActive report.

“IOActive reports that the administrative web server uses a predictable, monotonically increasing session ID,” DHS said. “This finding is based on running the web server in a test environment. Testing on a variety of firmware versions on devices both at the factory and in the field, Monroe Electronics could not reproduce this finding.”

DHS acknowledged, however, that there are vulnerabilities within the EAS. To fix the issue, the agency urged participants to install the update, disable the compromised SSH key, manually inspect SSH keys, restrict access, and change default passwords.

The EAS, which became operational on 9 November 2011, is designed to enable to the president of the United States to speak to the nation within ten minutes of a disaster occurring. In the past these alerts were passed from station to station using the AP or UPI “wire services” which connected to television and radio stations around the United States. Whenever the station received an authenticated Emergency Action Notification (EAN), the station would disrupt its current broadcast to deliver the message to the public. On Wednesday 26 June, the Cyber Emergency Response Team (CERT) published an advisory providing details of the vulnerability.

IOActive has also issued its own IOActive Labs Advisory outlining the affected products, the impact and the solution.