Flaw Opened Federal Emergency Alerting System To Hijacking

Multiple vulnerabilities were discovered in the DASDEC Emergency Messaging Platform and Monroe Electronics One-Net E189 Emergency Alert Systems. Both application server devices are manufactured by Digital Alert Systems (DAS), a division of Lyndonville, N.Y.-based Monroe Electronics. They receive and authenticate messages that are then broadcast to the public.

The devices are mandated by the Federal Communications Commission at radio and television stations. The Monroe systems are installed in several thousand television and cable providers across the U.S., said Ed Czarnecki, director of regulatory affairs at Monroe Electronics. It is likely that the devices could have been vulnerable for about two years, when many of the devices were installed as part of a modernization effort, Czarnecki told CRN.

[Related: 5 Signs Enterprise Software Security Is Improving ]

Monroe was notified about vulnerabilities in its equipment in January and the company's internal development team developed a software update that was made available in March. A month later, the company reached out to get broadcasters that maintain the devices to install the firmware, Czarnecki said. Approximately 3 percent of devices remain unpatched, he said.

"You will inevitably run into a small portion of users who just don't want to cooperate even though they are required to install the devices and maintain them in good working order," he said.

The Emergency Alert System devices are installed at large and small broadcasters. Some smaller firms don't have IT teams in place and use poor security practices -- failing to maintain a firewall, and weak and default passwords -- leading to problems. In February, a zombie attack alert was issued on a handful of U.S. TV stations. The attacker guessed the default passwords on the Monroe devices, enabling the hoax to be broadcast.

The latest firmware update disables the compromised SSH key, according to a security advisory issued late last month by the United States Computer Emergency Response Team (US-CERT). The firmware update also provides a way to install new unique keys and enforce a stronger password policy.

"The compromised root SSH key should be disabled immediately, especially if the SSH service is exposed to untrusted networks such as the Internet," the US-CERT said in its advisory. "If SSH connectivity is required, generate, install and test new SSH keys before disabling the compromised key."

The vulnerabilities were discovered by Seattle-based security firm IOActive, which issued a security advisory this week outlining the extent of the threat. The vulnerabilities are significant and should be addressed, according to Mike Davis, a senior security consultant at IOActive.

The messages are preceded and followed by alert tones that include information about weather events and other public disturbances, and offer instructions. The emergency messages are often heard over the National Oceanic and Atmospheric Administration (NOAA) radio or relayed to other television and radio stations via a messaging peer, Davis said.

"An attacker who gains control of one or more DASDEC systems can disrupt these stations’ ability to transmit and could disseminate false emergency information over a large geographic area," Davis said in a statement. "In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems."

PUBLISHED JULY 9, 2013