Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Communications Bug Government Security

Exposed SSH Key Means US Emergency Alert System Can Be Hacked 86

Posted by timothy from the what's-with-all-the-tsunami-alerts-lately? dept.
wiredmikey writes "Recently discovered security flaws in the Emergency Alerting System (EAS) which is widely used by TV and radio stations across the United States, has made the systems vulnerable to remote attack. The vulnerability stems from an SSH key that is hard-coded into DASDEC-I and DASDEC-II devices made by Monroe Electronics. Unless the default settings were altered during deployment, impacted systems are using a known key that could enable an attacker with full access if the systems are publicly faced or if they've already compromised the network. By exploiting the vulnerability, an attacker could disrupt a station's ability to transmit and/or could send out false emergency information. 'Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,' said Mike Davis, a principal research scientist at IOActive. The DHS issued an alert on the vulnerability, and IOActive, the firm that discovered the flaw, has published additional technical details (PDF) on the security issue."
This discussion has been archived. No new comments can be posted.

Exposed SSH Key Means US Emergency Alert System Can Be Hacked More

Exposed SSH Key Means US Emergency Alert System Can Be Hacked

Comments Filter:

  • Re:Hard-Coded? (Score:4, Interesting)

    by bughunter ( 10093 ) <[ten.knilhtrae] [ta] [retnuhgub]> on Tuesday July 09, 2013 @01:11PM (#44227363) Journal

    If the implications are that it can be changed by modifying the default settings, its not really hard-coded, is it ?

    FTFS:
    Unless the default settings were altered during deployment, impacted systems are using a known key

    You missed an important bit there. It's very probably stored on an EPROM or SD Card, requiring physical access to the DASDECs. Some of my employer's products are used in the same market (local TV stations) and that's a pretty common method of configuring equipment for a particular customer.

    Hard-coded, as in: Yes it's code, but there's no external interface protocol which permits changing the keys. In order to alter it, you have to remove the unit from the rack, take the cover off, and then you can upload a new config file. More recent products use external USB ports, but I bet these DASDECs are older than that...

Slashdot Top Deals

Work is the crab grass in the lawn of life. -- Schulz

Close