Two years after a false EAS alert about an incoming ICBM sowed terror in Hawaii, and seven years after security researchers warned about insecure, Internet connected Emergency Alert System (EAS) hardware, scores of the devices across the U.S. remain un-patched and vulnerable to cyber attack, according to security experts.
More than 50 EAS deployments across the United States appear to still contain a vulnerability first discovered and reported by the firm IOActive in 2013, according to a warning posted by the security researcher Shawn Merdinger on January 19, seven years after the initial vulnerability report was issued.
Security Ledger viewed the exposed web interfaces for Monroe/Digital Alerts Systems EAS hardware used by two, FM broadcasters in Texas, another used by AM and FM stations on the island of Hawaii, and an exposed EAS belonging to a broadband cable provider in North Carolina. Security Ledger is withholding the names of the broadcasters for security reasons.
A history of vulnerabilities
The EAS system replaced the Emergency Broadcast System (EBS) in the late 1990s. It is used to deliver local or national information to the public in the event of an emergency. Among other things, the EAS is designed to “enable the President of the United States to speak to the United States within 10 minutes” after a disaster occurs.
IOActive first notified Monroe Electronics about vulnerabilities in its DASDECS product for EAS in January 2013. According to an analysis by researcher Mike Davis, Monroe distributed the root privileged SSH key for the DASDEC-I and DASDEC-II appliances as part of the DASDEC firmware. That distributed SSH key would allow an attacker to log in as Root over the Internet to a DASDEC device, and then manipulate any system function, IOActive warned.
DASDEC is a special-purpose application server that delivers emergency messages to television and radio stations. DASDEC encoder/decoders receive and authenticate EAS messages delivered over National Oceanic and Atmospheric Administration (NOAA) radio or relayed by a Common Alerting Protocol (CAP) messaging peer. After a station authenticates an EAS message, the DASDEC server interrupts the regular broadcast and relays the message onto the broadcast preceded and followed by alert tones that include some information about the event.
Scores of exposed EAS systems
According to a search conducted using the Shodan search engine, 55 Monroe DASDEC EAS systems are still using that shared SSH key, including the facilities in North Carolina, Texas and Hawaii. The broadcasters contacted by The Security Ledger were not able to offer comment prior to publication.
Merdinger notes that the Monroe systems are easy to discover using tools like Shodan, which search the Internet for connected hardware, including so-called “critical infrastructure” like SCADA and industrial control systems.
His search keyed off of the unique, shared SSH key value used by the EAS systems. However, simply searching on the manufacturer name and the serial number displayed on the web management interface will typically turn up any units exposed to the public Internet.
Exposed web server interfaces used to manage the EAS hardware divulges other information that could be useful to an attacker, as well, including the radio or TV station call letters, frequency identification and so on, Merdinger noted.
The system has been shown to be vulnerable to tampering before. In February, 2013, for example, unknown hackers compromised EAS systems at television stations in the U.S. and broadcast a bogus emergency alert claiming that the “dead were rising from their graves” and attacking people. Published reports say that at least four television stations were the victims of the hoax: WBKP and WNMU in Marquette, Michigan; KNME/KNDM in Albuquerque, New Mexico; and KRTV in Great Falls, Montana.
On Patching: Customers don’t respond
Monroe, now known as Digital Alert Systems, issued patches addressing the flaws discovered by IOActive and has continued to update is DASDEC products in the years since, said Ed Czarnecki, the Senior Director for Strategy and Government Affairs at Digital Alert Systems. However, a number of customers have not responded to either company or federal officials entreaties, he said.
Digital Alert Systems is calling and emailing affected customers that turned up in the Shodan search to urge them to update their systems, Czarnecki told The Security Ledger. “The immediate issues is you can’t have computer equipment on the open Internet,” he said. “It just should not be done.”
Czarnecki said the Internet-exposed systems represent a small fraction of Digital Alert Systems customers. He said the company had directed “several people” to follow up on the report from Merdinger and contact the affected organizations.
The Federal Communications Commission in July, 2018, issued new guidance to help prevent false alarms, such as the errant EAS message about an inbound ballistic missile that sowed terror and panic in Hawaii. The FCC required EAS equipment to be configured in a way that helps prevent EAS tampering and false alerts.