[BreachExchange] Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable

Destry Winant destry at riskbasedsecurity.com
Fri Feb 7 10:15:48 EST 2020


https://securityledger.com/2020/01/seven-years-later-scores-of-eas-systems-sit-un-patched-vulnerable/

More than 50 EAS deployments across the United States appear to still
contain a vulnerability first discovered and reported by the firm
IOActive in 2013, according to a warning posted by the security
researcher Shawn Merdinger on January 19, seven years after the
initial vulnerability report was issued.

Security Ledger viewed the exposed web interfaces for Monroe/Digital
Alerts Systems EAS hardware used by two, FM broadcasters in Texas,
another used by AM and FM stations on the island of Hawaii, and an
exposed EAS belonging to a broadband cable provider in North Carolina.
Security Ledger is withholding the names of the broadcasters for
security reasons.


A history of vulnerabilities

The EAS system replaced the Emergency Broadcast System (EBS) in the
late 1990s. It is used to deliver local or national information to the
public in the event of an emergency. Among other things, the EAS is
designed to “enable the President of the United States to speak to the
United States within 10 minutes” after a disaster occurs.

An example of the exposed web interface for Digital Alert Systems EAS
hardware used by two, Texas based broadcasters.

IOActive first notified Monroe Electronics about vulnerabilities in
its DASDECS product for EAS in January 2013. According to an analysis
by researcher Mike Davis, Monroe distributed the root privileged SSH
key for the DASDEC-I and DASDEC-II appliances as part of the DASDEC
firmware. That distributed SSH key would allow an attacker to log in
as Root over the Internet to a DASDEC device, and then manipulate any
system function, IOActive warned.

DASDEC devices from Emergency Alert Systems (formerly Monroe
Electronics) remain un-patched and exposed on the Internet seven years
after the security firm IOActive first reported security flaws.

DASDEC is a special-purpose application server that delivers emergency
messages to television and radio stations. DASDEC encoder/decoders
receive and authenticate EAS messages delivered over National Oceanic
and Atmospheric Administration (NOAA) radio or relayed by a Common
Alerting Protocol (CAP) messaging peer. After a station authenticates
an EAS message, the DASDEC server interrupts the regular broadcast and
relays the message onto the broadcast preceded and followed by alert
tones that include some information about the event.


Scores of exposed EAS systems

According to a search conducted using the Shodan search engine, 55
Monroe DASDEC EAS systems are still using that shared SSH key,
including the facilities in North Carolina, Texas and Hawaii. The
broadcasters contacted by The Security Ledger were not able to offer
comment prior to publication.

Merdinger notes that the Monroe systems are easy to discover using
tools like Shodan, which search the Internet for connected hardware,
including so-called “critical infrastructure” like SCADA and
industrial control systems.

His search keyed off of the unique, shared SSH key value used by the
EAS systems. However, simply searching on the manufacturer name and
the serial number displayed on the web management interface will
typically turn up any units exposed to the public Internet.

Exposed web server interfaces used to manage the EAS hardware divulges
other information that could be useful to an attacker, as well,
including the radio or TV station call letters, frequency
identification and so on, Merdinger noted.

The system has been shown to be vulnerable to tampering before. In
February, 2013, for example, unknown hackers compromised EAS systems
at television stations in the U.S. and broadcast a bogus emergency
alert claiming that the “dead were rising from their graves” and
attacking people. Published reports say that at least four television
stations were the victims of the hoax: WBKP and WNMU in Marquette,
Michigan; KNME/KNDM in Albuquerque, New Mexico; and KRTV in Great
Falls, Montana.

On Patching: Customers don’t respond

Monroe, now known as Digital Alert Systems, issued patches addressing
the flaws discovered by IOActive and has continued to update is DASDEC
products in the years since, said Ed Czarnecki, the Senior Director
for Strategy and Government Affairs at Digital Alert Systems. However,
a number of customers have not responded to either company or federal
officials entreaties, he said.

Digital Alert Systems is calling and emailing affected customers that
turned up in the Shodan search to urge them to update their systems,
Czarnecki told The Security Ledger. “The immediate issues is you can’t
have computer equipment on the open Internet,” he said. “It just
should not be done.”

Czarnecki said the Internet-exposed systems represent a small fraction
of Digital Alert Systems customers. He said the company had directed
“several people” to follow up on the report from Merdinger and contact
the affected organizations.

The Federal Communications Commission in July, 2018, issued new
guidance to help prevent false alarms, such as the errant EAS message
about an inbound ballistic missile that sowed terror and panic in
Hawaii. The FCC required EAS equipment to be configured in a way that
helps prevent EAS tampering and false alerts.


More information about the BreachExchange mailing list