You’d think that the prospect of a zombie invasion would prompt our nation’s broadcasters and others who participate in the Emergency Alert System (EAS). Just the opposite is true.
Months after a bogus EAS message warning about a zombie uprising startled residents in Michigan, Montana and New Mexico, the number of vulnerable EAS devices accessible from the Internet has increased, rather than decreased, according to data from the security firm IOActive.
In a blog post Thursday, Mike Davis, principal research scientist at IOActive said that a scan of the public Internet for systems running versions of the Monroe Electronics software found almost double the number of vulnerable systems in July – 412 – as were found in April, when an IOActive scan of the public Internet using the Shodan search engine found only 222 vulnerable systems.
IOActive first notified Monroe Electronics about vulnerabilities in its DASDECS product in January of this year. According to an analysis by IOActive, Monroe distributes the root privileged SSH key for the DASDEC-I and DASDEC-II appliances (and potentially other Linux-based hardware provided by DAS) as part of the DASDEC firmware. That key would allow an attacker to log in as Root over the Internet to a DASDEC device, and then manipulate any system function, IOActive warned.
DASDEC is a special-purpose application server that delivers emergency messages to television and radio stations. DASDEC encoder/decoders receive and authenticate EAS messages delivered over National Oceanic and Atmospheric Administration (NOAA) radio or relayed by a Common Alerting Protocol (CAP) messaging peer. After a station authenticates an EAS message, the DASDEC server interrupts the regular broadcast and relays the message onto the broadcast preceded and followed by alert tones that include some information about the event.
The flaw reported by IOActive did not play a part in the “zombie invasion” prank. Rather, in that incident, attackers took advantage of a factory default password that was published in Monroe Electronics documentation for the company’s R-189 devices. The hackers then logged in to the CAP-EAS devices and inserted the bogus message about the dead rising from their graves. Bill Robertson, a Vice President at the firm Monroe Electronics in Lydnonville, New York, put the blame at the feet of customers who failed to change the default password, which was printed in company documentation that could be downloaded from Monroe’s public web site. “They were compromised because the front door was left open. It was just like saying ‘Walk in the front door,’” he told Reuters in February.
Monroe issued guidance to customers to change their default passwords. And, in April, the company released a patch to address the larger security issues discovered by IOActive.
But, Davis said, releasing a patch is one thing. Getting customers to install it is a different matter. The data from IOActive suggests that many customers who received the Monroe patch have not applied it to their DASDEC appliances, and that more, vulnerable Monroe systems are now discoverable from the public Internet – making them easy targets for compromise.
Davis argued that Monroe (and other vendors like it) need to take a more active role in getting customers to apply patches or, in lieu of that, to make sure they have applied mitigation strategies that address the immediate vulnerability.