Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exposed SSH Key Means US Emergency Alert System Can Be Hacked

Posted by timothy on from the what's-with-all-the-tsunami-alerts-lately? dept.

wiredmikey writes "Recently discovered security flaws in the Emergency Alerting System (EAS) which is widely used by TV and radio stations across the United States, has made the systems vulnerable to remote attack. The vulnerability stems from an SSH key that is hard-coded into DASDEC-I and DASDEC-II devices made by Monroe Electronics. Unless the default settings were altered during deployment, impacted systems are using a known key that could enable an attacker with full access if the systems are publicly faced or if they've already compromised the network. By exploiting the vulnerability, an attacker could disrupt a station's ability to transmit and/or could send out false emergency information. 'Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,' said Mike Davis, a principal research scientist at IOActive. The DHS issued an alert on the vulnerability, and IOActive, the firm that discovered the flaw, has published additional technical details (PDF) on the security issue."

16 of 86 comments (clear)

  1. Zombie apocalypse false report by intermodal · · Score: 5, Funny

    when I saw the first part of the blurb, I thought, "the least they could do is publicize the security hole by announcing the zombie apocalypse." Guess they beat me to the punch.

    --
    In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
    1. Re:Zombie apocalypse false report by Anonymous Coward · · Score: 3, Funny

      When I saw the second part of the blurb, I thought, "They *say* there wasn't a zombie apocalypse and that it was just a security flaw, but maybe that's only because they managed to contain the outbreak in Montana." :-)

    2. Re:Zombie apocalypse false report by egamma · · Score: 3, Funny

      When I saw the second part of the blurb, I thought, "They *say* there wasn't a zombie apocalypse and that it was just a security flaw, but maybe that's only because they managed to contain the outbreak in Montana." :-)

      I grew up in Montana. I've been to Great Falls. If there were zombies in February, the zombies arose from the grave and them promptly iced over, and were then disassembled using chainsaws.

      --
      Battlemaster--Game with friends in medival realms
  2. Hard-Coded? by drummerboybac · · Score: 3, Insightful

    If the implications are that it can be changed by modifying the default settings, its not really hard-coded, is it ?

    1. Re:Hard-Coded? by CastrTroy · · Score: 3, Insightful

      There's a hard coded default, and that's bad enough. In order to do stuff like this correctly, the system should not have a default code, and it should not start until a new securely generated key has been created.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Hard-Coded? by bughunter · · Score: 4, Interesting

      If the implications are that it can be changed by modifying the default settings, its not really hard-coded, is it ?

      FTFS:
      Unless the default settings were altered during deployment, impacted systems are using a known key

      You missed an important bit there. It's very probably stored on an EPROM or SD Card, requiring physical access to the DASDECs. Some of my employer's products are used in the same market (local TV stations) and that's a pretty common method of configuring equipment for a particular customer.

      Hard-coded, as in: Yes it's code, but there's no external interface protocol which permits changing the keys. In order to alter it, you have to remove the unit from the rack, take the cover off, and then you can upload a new config file. More recent products use external USB ports, but I bet these DASDECs are older than that...

      --
      I can see the fnords!
    3. Re:Hard-Coded? by Em+Adespoton · · Score: 2

      These pieces of equipment are run by people who can't us the terms "hacker" correctly and who waive their hands in the air about "cyber attacks."

      For morons, in other words.

      I agree... anyone who waives their hands is a moron. You can waive my hands from my cold dead (animated) body.

  3. Misdirection by belthize · · Score: 5, Funny

    I think this is just misdirection and cover up.

    'Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,

    How do we know there was no zombie apocalypse. Maybe they're just claiming a vulnerability to pretend the apocalypse was a fake. When was the last time you talked to somebody in Montana, would you even know if it'd been overrun ?
     

    1. Re:Misdirection by Picass0 · · Score: 5, Funny

      Plausible.

      Most people when meeting somebody from Montana wouldn't be able to tell if they are "living" or "living dead".

    2. Re:Misdirection by idontgno · · Score: 2

      I lived in Montana for a few years in my youth.

      I can confirm that I was like unto the undead during that period. It was living death, except colder in the winter.

      The only living thing there is cattle, and that's only because you can't market zombie beef yet.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    3. Re:Misdirection by MickyTheIdiot · · Score: 3, Funny

      They only got 4 calls about the alert.

      That was a full 50% of their audience.

    4. Re:Misdirection by 1s44c · · Score: 2

      If Montana was overrun by Zombies would anyone care?

      Now if Hannah Montana was fighting off a zombie invasion, maybe with a chainsaw, that would be a great film.

  4. for fucks sake people by smash · · Score: 4, Informative

    It's really not that hard.

    1. Password protect your private keys!
    2. don't listen to port 22 on the internet from anywhere. require VPN, ipsec tunnel, at the bare minimum, hosts.allow from a specific management network, or some other method to secure the connection first. security is layered, don't rely on a single authentication to give people to keys to the castle, or someone will fuck you
    3. use multiple service accounts with least privilege access so compromise of one doesn't impact another

    The fact that an emergency services network has been left in a state like this is bordering on.... no, IS criminal negligence.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    1. Re:for fucks sake people by __aaeihw9960 · · Score: 2

      The sad fact is the people who actually make calls about infrastructure like emergency alert, power and water have absolutely no idea what most of the words in your post actually mean.

    2. Re:for fucks sake people by 1s44c · · Score: 2

      There is no security reason to move SSH to a different port. It's dead easy to work out what port it's on as it has a clear banner. VPN and ipsec are not more secure than SSH and often cause more problems as they can bridge trusted to untrusted networks.

      If you want to setup SSH right:

      Turn off all password authentication.

      Turn off everything else in the config you are not using, like host based and kerberos authentication.

      Use big key lengths.

      Check you only have current and correct keys in authorized_keys

      Limit keys by IP address or with forced commands if possible

      Disable root logins and all common user names if it makes you feel more secure

      Use privilege separation

      You may optionally limit connections per IP with iptables or an equivalent firewall but don't trust that fail2ban crap

      Set log level verbose so it actually logs what key was used to authenticate who

  5. Re:Bee Doe! Bee Doe! Bee Doe! by dgatwood · · Score: 2

    At least they chose an obviously fake alert. Imagine if they had announced a terrorist threat to a major sporting event. They could have easily caused a mass panic with thousands of casualties. This is why we must take cyber-security seriously. Specifically:

    • The community needs to continue beefing up vulnerability databases to make it easier for people to get alerts about software and hardware that they own and use, rather than generic warnings that contain dozens of products, 99% of which they don't care about. (That said, I do have to at least give CERT credit for finally making their email alerts useful instead of the useless "Click this link for an updated vulnerability summary" emails that they used to send out.)
    • Every college and university must make computer security classes mandatory for all CS and CE majors so that the systems they design are secure by default instead of defective by design.
    • Language developers must make common unsafe programming techniques impossible. For example, string taint support should be turned on by default, it should not be possible to remove that taint from a user-provided string, and it should be a fatal error for a tainted string to appear anywhere in the query string for a mysqli or PDO query.
    • Support for the base (non-parameterized) mysql library should be removed from all languages unless someone manually recompiles the libraries to include it, with a warning that the support will be removed entirely within two years.

    And so on. Notice how none of these things involve secret government organizations monitoring exabytes worth of data each day to "protect" us.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.