Slashdot Mirror

← Back to Stories (view on slashdot.org)

No Zombie Uprising, But Problems Persist With Emergency Alert System

Posted by Soulskill on from the can-it-be-aliens-next-time-please dept.

chicksdaddy writes "More than six months after hacked Emergency Alert System (EAS) hardware allowed a phony warning about a zombie uprising to air in several U.S. states, a security consulting company is warning that serious issues persist in software from Monroe Electronics, whose equipment was compromised in the earlier attack. In a blog post, Mike Davis of the firm IOActive said patches issued by Monroe Electronics, the Lyndonville, New York firm that is a leading supplier of EAS hardware, do not adequately address problems raised earlier this year, including the use of 'bad and predictable' login credentials. Further inspection by Davis turned up other problems that were either missed in the initial code review or introduced by the patch. They include the use of “predictable and hard-coded keys and passwords,” as well as web-based backups that were publicly accessible and that contained valid user credentials. Monroe’s R-189 CAP-EAS product was the target of a hack in February during which EAS equipment operated by broadcasters in Montana, Michigan and other states was compromised and used to issue an alert claiming that the 'dead are rising from their graves,' and advising residents not to attempt to apprehend them. CAP refers to the Common Alerting Protocol, a successor to EAS. A recent search using the Shodan search engine by University of Florida graduate student Shawn Merdinger found more than 200 Monroe devices still accessible from the public Internet. 66% of those were running vulnerable versions of the Monroe firmware."

11 of 54 comments (clear)

  1. Anyone noticed. . . by djupedal · · Score: 3, Insightful

    It's no longer just an uphill battle trying to make things secure - we've lost the war.

    1. Re:Anyone noticed. . . by Anonymous Coward · · Score: 3, Insightful

      We haven't lost the war. Cheap bastards simply don't care about security.

    2. Re:Anyone noticed. . . by mirix · · Score: 2

      Nah, it's the typical engineering trilemma... fast, good, cheap; pick two.

      Though if you want good, it won't be cheap, just cheaper than good and fast. That and for certain values of "fast", there's not enough money in the world to make it happen, buggy shit is inevitable.

      There's countless halfass buggy code embedded devices out there, and now more and more they are getting connected to the outside world. So we'll see more and more 'zombie attacks', or plant meltdowns or whatnot, I'm sure.

      Maybe the MBAs will eventually figure out the importance of security, but not likely.

      --
      Sent from my PDP-11
    3. Re:Anyone noticed. . . by peragrin · · Score: 2

      Well it took the NSA the snowden leaks before they implemented a 2 man sysadmin rule. the only way to teach half the population that fire is hot is by sticking their hands in the fire.

      The only way to prove that you need security is by letting them get burned by the lack of it a couple of times.

      --
      i thought once I was found, but it was only a dream.
    4. Re:Anyone noticed. . . by Joce640k · · Score: 2

      "Cheap"?

      Some people have figured out that wining and dining can get you lucrative government contracts (can anybody come up with a single valid reason why Diebold are still in the supply chain?), but "cheap" isn't a suitable adjective.

      --
      No sig today...
    5. Re:Anyone noticed. . . by Dereck1701 · · Score: 2

      For a forest fire or flooding situation you'd probably be right, minutes aren't going to matter much. But for something like a poison gas release at a chemical plant or tornado warning seconds can count. Theirs stories from tornado alley where people heard an emergency alert over the radio/TV and as they were making their way to their basement/shelter a minute later the house was being torn apart around them.

  2. OT TWC EAS Rant... by glavenoid · · Score: 4, Interesting

    Time warner cable recently "upgraded" several of our analog cable channels to the basic digital tier which now requires a digital adapter. Unfortunately some of these are local stations that I watch regularly, so if I want to watch them I need the adapter, and using the adapter is mutually exclusive with regular analog cable without running a convoluted system of splitters and coax. Now after "upgrading" with the free digital adapter it's been *incessant* EAS tests and bogus alerts, sometimes going off every hour for days at a time, and the people at TWC can't or won't even attempt to fix it. This is annoying enough, but during one of these swarms of false alerts there was a REAL alert of a TORNADO in the area that ended up doing a lot of damage nearby. TWC's stupid mismanagement of the EAS system has completely undermined the use of the system itself. Bastards. Rant over.

    --
    I, for one, am looking forward to the inevitable /. beta rollout fallout.
    1. Re:OT TWC EAS Rant... by Opportunist · · Score: 4, Insightful

      As long as there is no fine for this kind of behaviour, it will not change. The only language corporations understand is one that hits them in their wallet.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Re:Crying "Wolf!" by jtownatpunk.net · · Score: 2

    That's the plan, son. That's the plan.

  4. NOAA Weather Radio + OTA TV for the win... by Shakrai · · Score: 2

    NOAA Weather Radio should be receivable anywhere in CONUS and there are decent radios to be had (that will activate automatically during severe weather events) for less than $50. Something worth considering.

    As far as the asshats at TWC, have you considered going OTA-only or at least OTA for your local channels? If you're lucky you have a local station with a good weather operation that will go above and beyond the EAS reporting -- one of our local stations preempted NBC for the better part of an hour when we had a tornado earlier this year -- but even if they don't you'd still be assured of getting the EAS alerts.

    Check out TV Fool and AntennaWeb as starting resources for determining if OTA reception is feasible from your location and what kind of antenna system you would need to make it happen. As an added bonus, you'll get a far better HD picture than anything Time Warner is sending down their pipe, they compress the hell out of their digital channels.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  5. The real problem... by betterprimate · · Score: 2

    ... is when your message me and a 6 million others at 4 in the morning because some kid (white) is missing.

    Do your fucking jobs, assholes. Next time you message me, you are agreeing to the updated ToS that you will find in your inbox next week. Each message I receive will cost you a $1000. Is it worth it?

    Scratch that, let's make it $10K.

    Law is fun.