More than six months after hacked Emergency Alert System (EAS) hardware allowed a phony warning about a zombie uprising to air in several U.S. states, a security consulting company is warning that serious issues persist in software from Monroe Electronics, whose equipment was compromised in the earlier attack.
Software updates issued by Monroe to fix security problems with earlier versions of its software have introduced serious, new issues that could once again allow EAS devices to be compromised by a remote hacker, according to a post by Mike Davis, a researcher at the security firm IOActive on Thursday.
Patches issued by Monroe Electronics, the Lyndonville, New York firm that is a leading supplier of EAS hardware, do not adequately address problems raised by Davis and others earlier this year, including the use of “bad and predictable” login credentials. Further inspection by Davis turned up other problems that were either missed in the initial code review or introduced by the patch. They include the use of “predictable and hard-coded keys and passwords,” as well as web-based backups that were publicly accessible and that contained valid user credentials.
Monroe’s R-189 CAP-EAS product was the target of a hack in February during which EAS equipment operated by broadcasters in Montana, Michigan and other states was compromised and used to issue an alert claiming that the “dead are rising from their graves,” and advising residents not to attempt to apprehend them. CAP refers to the Common Alerting Protocol, a successor to EAS. Then, in July, Davis announced that he had discovered further vulnerabilities in the digital alerting systems – DASDEC – application servers, which receive and authenticate EAS messages. DASDEC-I and II application servers shipped with the root (privileged) SSH key as part of the firmware update package, he found. That makes it easy for an attacker to extract the key from a firmware update, then log in to a DASDEC device over the Internet and manipulate any system function. Monroe issued a firmware patch, version 2.0-2, in April that addressed the SSH key issues SSH key and enforced a new password policy.
That seemed like the end of the story, but the 2.0-2 patch “wasn’t as effective as one would have hoped,” Davis now writes. “In most cases bad and predictable credentials were left in place intentionally” — apparently for fear of “breaking” features of the product. In other cases, features introduced to the 2.0-2 version introduced new hardcoded login credentials, the very problem that caught the attention of hackers and landed Monroe in hot water.
Shawn Merdinger, a network security analyst and graduate student at The University of Florida used the Shodan search engine to identify 209 Monroe Electronics devices that can be accessed directly from the Internet. Many of those are on university networks, including the University of Massachusetts, the University of Miami and Purdue University, Merdinger said. Of those, only 71 were running the Version 2.0-2 firmware that fixed the known security issues, he said. “Sixty six percent are still vulnerable and un-patched six months from a CERT/CC advisory, FCC advisory and vendor advisory, plus outreach,” he wrote in an e-mail to Security Ledger. “Yuk.”
But not everyone shares Davis’s and Merdinger’s dire assessment. IOActive reported the issues to the Department of Homeland Security’s Computer Emergency Readiness Team (CERT) and were told that the findings were “not terribly serious” and “not something the vendor can practically do much about,” Davis reported. Contacted by The Security Ledger, Ed Czarnecki, the Head of Strategy and Regulatory Affairs at Monroe said that his company hadn’t been contacted by either IOActive or CERT regarding the new issues.
He said that only around 5% of the company’s 620 customers had not applied the patch released in April. Monroe had appealed to those customers to apply the patch, as has the FCC, Czarnecki said. Monroe also placed alerts within the firmware update to inform customers about the insecure SSH key and alert them if they choose to stick with the default administrator username and login, he said.
Beyond that, there was little Monroe could do to compel them to adopt the stricter security measures or to apply the patch, he said. While some have done an about face on cyber security and take the issue seriously in the wake of the “zombie uprising” hoax, others haven’t, he said. The larger issues in the broadcast industry in regard to IT security may be cultural, he said.
“These are tube and wires guys. They’re deeply embedded with RF (radio frequency) technologies and they have a radio mentality,” Czarnecki said. “We’re seeing the merging of IT and broadcast operations technically, but from the resource perspective, they haven’t merged.”