In the case of an actual emergency, your regularly scheduled TV or radio shows would be interrupted by a screeching tone before broadcasting a "this is not a test" warning. So file this one-about vulnerabilities to remotely hijack the Emergency Alert System (EAS)-under, "Oops, we didn't mean to open the door for nationwide War of the Worlds panic." That door didn't open (yet), but the key is in the lock, just waiting for an attacker to remotely take over, break into TV and radio shows, and broadcast bogus emergency warnings to the public.
Before such a warning was issued, application servers would receive, decode, and authenticate the emergency alert. The vulnerabilities in DASDEC‑I and DASDEC-II appliances from Digital Alert Systems, a division of Monroe Electronics, included accidentally shipping "the root privileged SSH key as part of a firmware update package."
"This key allows an attacker to remotely log on in over the Internet and can manipulate any system function," explained Mike Davis, principal research scientist for IOActive. "For example, they could disrupt a station's ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances."
Security researchers with IOActive have been sitting on the flaws, quietly waiting for CERT to contact the vendor, which then produced a patch for the vulnerability. In April, Monroe Electronics issued a firmware update to version 2.0-2 [pdf] for DASDEC and One-Net alert messaging systems. DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)issued an advisory on July 3 about the compromised root SSH key in the DASDEC encoder/decoder devices. ICS-CERT warned, "An attacker with a moderate skill level could exploit this vulnerability." On July 8, having waited after discovering the hole, IOActive announced the vulnerabilities in the U.S. EAS.
"An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," states IOActive's vulnerability notice [pdf]. "In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems."
FEMA also has a wireless alert system that can automatically send the shrieking emergency alert sound to mobile phones before sending mass text messages to those phones in an affected area. Damon Penn of FEMA told NBC, "The alert is designed to be a bell-ringer. It is designed to tell you that there is something going on and then you need to take action."
Let's hope we don't receive a phony and freaky text about zombies attacking.
Sign up for CIO Asia eNewsletters.