With Zombies Explained, National Alert System Can Go Back to Sleep
What may have been even more shocking to Montana citizens than the message that a zombie attack was imminent was that the U.S. emergency alert system was issuing any sort of announcement at all. The system was enabled during the Cold War, but it has never been used -- if you don't count the walking dead alert -- not even following the 9/11 attacks.
Jul 11, 2013 1:19 PM PT
"City authorities: More areas have reported that the bodies of the dead are rising from their graves and attacking the living," warned a voice over the emergency alert system on Montana station KRTV during an airing of a regularly broadcast program in February.
That incident, which has become known as the "Zombie Apocalypse," was the first sign that the EAS -- the national warning system used by radio and TV stations across the U.S. -- could be hacked.
IOActive Security this week revealed the vulnerabilities in the system that allowed the mischief, which were discovered by its principal research scientist, Mike Davis.
The main problem was that the DASDEC EAS servers from Digital Alert Systems were shipped with root privileged SSH keys as part of the firmware update package, which was publicly accessible, according to IOActive. Attackers who got the keys could log in remotely over the Internet and manipulate any system function.
"That's the equivalent of publishing the combination to your safe," remarked Jason Thompson, director of global marketing at SSH Communications Security.
US-CERT, the U.S. Computer Emergency Readiness Team, released a vulnerability note about the issue, and Monroe Electronics, the parent company of DAS, then took action.
"We were notified by CERT of a potential vulnerability, and developed a software mitigation for both the DASDEC and OneNet platforms," Monroe spokesperson Edward Czarnecki told TechNewsWorld.
OneNet is the EAS server offered directly by Monroe.
IOActive did not respond to our request for further details.
Flaws Found in the EAS Servers
IOActive also found that unauthenticated users could access all information logged on a DASDEC server. That would let anyone browse key directories, gleaning information about the server, its administrators, its peering arrangement, and basic login and logout details, among other things.
Among the other flaws Davis discovered: The system generated predictable session IDs and predictable passwords. Also, some sites did not change default administrative passwords included with systems when they were shipped.
How the EAS Works
The EAS is the latest in a line of early warning systems that began with the CONELRAD system set up in 1951 to warn Americans of an enemy attack during the Cold War. In addition to enabling the president to speak to the nation within 10 minutes of an emergency, it is used to alert the public of local weather emergencies.
The EAS is used on all broadcasting systems in the US, including cable, Sirius XM satellite radio, digital radio and TV, and direct-broadcast satellite.
The DASDEC and One-Net servers are Linux-based EAS encoder/decoder (ENDEC) devices that receive and authenticate EAS messages sent to stations. They then interrupt regular broadcasts and relay the messages they receive onto the broadcasts. Hacking into an ENDEC will let attackers disrupt stations' ability to transmit, and could let them disseminate false information over a large area, among other things.
Possible Implications of the Flaws
Predictable session IDs and predictable passwords "can be readily utilized to gain unauthorized access" to systems, SSH Communications Security's Thompson told TechNewsWorld. "If this bad practice has proliferated in the organization, it can be a disaster."
However, there have been no reports of any incidents relating to SSH keys, and Monroe "issued this security update as a precautionary measure," Monroe's Czarnecki said.
On the other hand, perhaps an EAS hack might not have much of an impact anyway. A national EAS test was conducted in November of 2011, but the nationwide federal EAS has never been activated -- not even on 9/11.
In 2011, Michael Powell, then chairman of the Federal Communications Commission, suggested that the proliferation of 24/7 news channels in effect rendered the EAS redundant. In light of today' near-instantaneous communications through Twitter and Facebook, perhaps he had a point.