Hacking The Emergency Alerting System

Hacking The Emergency Alerting System: Last week CERT and IOActive (PDF) released advisories detailing the nature of the vulnerabilities and provided links to the updated firmware patches by the vulnerable vendors — Digital Alert Systems and Monroe Electronics.

There was some confusion at the time because the vulnerable vendors appeared to have released patches for some of the undisclosed vulnerabilities earlier; their press release of June 13 is dated April 24th (the date of when the vendors supposedly began outreach to their vulnerable customers).

Regardless, the most critical vulnerabilities — the compromised SSH root key, default passwords, and predictable password generation — allow attackers to trivially take control of the vulnerable systems and override station broadcasts.

The EAS, itself, is categorized as critical national infrastructure, yet it appears to still be largely vulnerable to attack even months after various security updates and alerts have been released. In a blog late last week, the original discoverer of the vulnerabilities, IOActive’s Davis, indicated that more of the system is vulnerable to attack that it was when he’d alerted the vendors back in January.