Critical' Vulnerability Made Emergency Alert System Hackable

You might remember how a Montana TV station's emergency alert system was hacked earlier this year to display a message that the zombie apocalypse had begun -- it, of course, hadn't. Now, a security firm is revealing a "critical" vulnerability that left much of the nation's Emergency Alert System hackable.

According to the Cyber Emergency Response Team (CERT), which is sponsored by the Department of Homeland Security, several security issues affecting devices that allowed TV and radio broadcasts to be broken into with emergency information were identified by the the firm IOActive.

A man watches the new Emergency Alert System(EAS) test on November 9, 2011 in Washington, DC. The FCC and the Federal Emergency Management Agency, FEMA, conducted the first-ever nationwide test of the national Emergency Alert System. EAS participants broadcast alerts and warnings regarding severe weather alerts, child abductions and other types of emergencies. The EAS alerts are transmitted over radio and television broadcast stations, cable television and other media services. (Photo: KAREN BLEIER/AFP/Getty Images)

“Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,” Mike Davis, principal research scientist for IOActive, said in a statement. “These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station's ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”

CERT in its notice said that the vulnerabilities were found in Digital Alert Systems DASDEC and Monroe Electronics One-Net E189 emergency alert devices. IOActive in its technical report listed the severity of the vulnerability as "critical."

These vendors were notified of the vulnerability and released a firmware update in April. Other fixes were given to improve security of existing systems as well.

News of the vulnerability wasn't announced until recently after the firmware updates to the systems had been made.

The Emergency Alert System, previously the Emergency Broadcast System, "requires broadcasters, cable television systems, wireless cable systems, satellite digital audio radio service (SDARS) providers, and direct broadcast satellite (DBS) providers to provide the communications capability to the President to address the American public during a national emergency." This functionality was tested for the first time on the national scale with questionable success in November 2011.

More often, the system is used on the state and local level to deliver emergency weather information and AMBER alerts. Some cellphones are also now equipped to receive these alerts via text message.

(H/T: Wired)

--

[related]