Emergency Alert System vulnerable to hacking

Tools

The Emergency Alert System, which federal agencies use to warn residents of emergencies and severe weather through television and radio broadcast interruptions, is hackable, says a June 26 notice from the Homeland Security Department.

The Federal Emergency Management Agency, Federal Communications Commission and National Weather Service jointly manage the service, which relies on two application servers, DASDEC-I and DASDEC-II, made by Monroe Electronics, Inc.

A DHS Cyber Emergency Response Team advisory says these Linux-based EAS encoder/decoder devices have several security issues, including the public disclosure of the default private root secure shell key, which could be used to compromise an EAS device and manipulate system function.

Computer security company IOActive reports (.pdf) that "all logged information on a DASDEC server can be accessed by an unauthenticated user."

"Log access also allows an attacker to browse key directories, providing him with a wealth of information about the server, its administrators, its peering arrangement--and basic login/logout information," finds IOActive.

CERT advises EAS administrators apply an update to the servers that disables the SSH key, installs new keys and enforces new password policies. These SSH keys must be disabled immediately, says CERT, adding instruction on how to manually inspect SSH keys and restrict access going forward.

For more:
- read the CERT vulnerability note VU#662676
- download the IOActive report (.pdf)

Related Articles:
FEMA launches ad campaign for wireless emergency alerts
Most states yet to enroll in Commercial Mobile Alert System
FCC extends deadline for emergency alert formatting