How Secure is the
US Emergency Alert System?
We interrupt this broadcast to bring you the following emergency message. This is not a test. The bodies of the dead are rising from their graves and attacking the living…
|Photo: © miserlou
This is not a scene from the hit television series The Walking Dead. Nor, obviously, is it a real alert issued by America’s Emergency Alert System (EAS), but it is a “real” message broadcast by that system to viewers in Montana back in February of 2013, when hackers broke into the EAS. The hacked warning, broadcast by a single Montana CBS Television, affiliate went on to say, “Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”
Of course authorities knew the Zombie Apocalypse was not upon us, and that some unknown hacker had exploited vulnerabilities in the EAS to broadcast the fake warning. What they did not know is how – that is, until recently. On June 26th, 2013, the Department of Homeland Security (DHS) issued a security alert (Vulnerability Note VU#662676) stating that all Digital Alert Systems DASDEC-I and DASDEC-II appliances, as well as the Monroe Electronics One-Net E189 Emergency Alert System, used by EAS, contain “multiple vulnerabilities that could be exploited to provide remote access to, and control of, the EAS equipment.”
The alert was issued after Mike Davis, principal research scientist with IOActive, an information and cyber-security firm, discovered the vulnerabilities and reported them to DHS. In his report Davis said, “An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area. In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems.”
The Security Advisory issued by IOActive to DHS gave the system its “critical” rating and went on to warn that DASDEC-I and DASDEC-II application servers, made by Digital Alert Systems, were left wide open to attackers, following a recent firmware update that was shipped to users that also included a copy of their default private root secure-shell (SSH) key.
Using the key, an attacker with limited knowledge could gain remote access to the Linux-based EAS encoder/decoder (ENDEC) devices, and then according to Davis, “manipulate any system function,” including broadcasting fake emergency alerts over large geographic areas via digital and analog channels.
That was not the only vulnerability exposed in the IOActive security advisory. The second major vulnerability is that the devices ship with default passwords installed that provide full access. "Like many similar devices, the DASDEC and One-Net ENDECs use default administrative credentials,” according to the DHS security alert. “Some user sites fail to change the default administrative password and allow unrestricted Internet access” to the device. When users fail to change the default password, hackers who either know, or can obtain the default password, could remotely log onto the devices unchallenged, and gain root privileges.
|Photo: © Björn Söderqvist, www.flickr.com/photos/
Given Fair Warning
The good news is not only are the dead not rising from their graves, solutions to the vulnerabilities have been issued. Monroe Electronics, the makers of the units in question, released a fix in April 2013 with a new firmware update -firmware v2.0-2. According to DHS, this update, “disables the compromised SSH key, provides a simplified user option to install new unique keys, and enforces a new password policy.”
Today, both the Monroe Electronics and Digital Alert Systems homepages include a prominent security recommendation that their EAS appliance customers should update to the v2.0-2 firmware, must “change the factory default password,” and to make sure that “all network connections are behind secure firewalls.”
Although this patch was released in April, Davis in his July Advisory stated, “Each EAS participant needs to upgrade any Monroe hardware they’re currently using. To the best of my knowledge there is still a significant number of vulnerable systems on the Internet that have not patched this issue. Additionally, many EAS systems run in a peer-to-peer network so even partial patching of the issue may still result in widespread fictitious EAS alerts.”
The EAS was created to allow The President to address the entire country within 10 minutes of a nationwide disaster. Equipment such as the DASDEC-I and DASDEC-II servers were designed to interrupt regular broadcast programming by TV and radio stations and relay an emergency message, which is preceded and followed by familiar alert tones.
Davis did not go on record as saying he believes exploitation of either of his discovered vulnerabilities is how the fake “Zombie Warning” was accomplished. However, now that we are aware of them, it stands to reason they were involved. In a July 12th statement issued to PC Magazine, a Monroe Electronics representative said the “vulnerability played no role in the bogus Zombie Apocalypse warnings.”
The purpose of the DHS Alert was to urge users to make use of the available fix. Any stations that use the vulnerable alert equipment should upgrade immediately to version 2.0-2, which is available by sending an e-mail to firstname.lastname@example.org.