Application servers used as part of the nation's emergency alerting system (EAS) suffer from a remotely exploitable vulnerability, according to Mike Davis, principal research
They could disrupt a station's ability to transmit, and could disseminate false emergency information.
principal research scientist, IOActive, Inc.
Davis says the servers "are currently shipped with their root-privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on over the Internet and can manipulate any system function. For example, they could disrupt a station's ability to transmit, and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances."
A recent vulnerability note from the Software Engineering Institute Community Emergency Response Team (CERT) at Carnegie Mellon University stated: "Digital Alert Systems DASDEC and Monroe Electronics One-Net E189 Emergency Alert System devices exposed a shared private-root SSH key in publicly available firmware images. An attacker with SSH access to a device could use the key to log in with root privileges."
Actual takeovers of isolated parts of the alert system are not unknown. "Earlier this year, we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse," Davis said. During the "alert," viewers of CBS affiliate KRTV heard the grating short-tone bursts that usually signal that "this is a test of the Emergency Broadcast System." In this case, however, the audience was subsequently warned that "the bodies of the dead are rising from their graves and attacking the living."
According to IOActive, it is not known whether the flaw that Davis found was the same flaw used in the Montana zombie incident.
The two makers of equipment affected by the root-privilege flaw have issued firmware updates that correct the problem, according to CERT.