IOActive Finds Security Flaws in U.S. Emergency Alert System

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Researchers at IOActive recently uncovered significant vulnerabilities in the U.S. Emergency Alerting System (EAS), which were leveraged earlier this year to broadcast warnings of zombie attacks on TV stations in Montana and Michigan (h/t PCMag).

According to IOActive principal research scientist Mike Davis, the vulnerabilities lie in the digital alerting systems (DASDEC) application servers -- the DASDEC receives, authenticates and delivers EAS messages.

"Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse," Davis said in a statement. "Although there was no zombie apocalypse, it did highlight just how vulnerable the system is."

"These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package," Davis added. "This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station's ability to transmit and could disseminate false emergency information."

PCMag's Chloe Albanesius notes that Monroe Electronics, which produces the DASDEC systems, released a software update [PDF file] in April to mitigate the vulnerability, which Monroe says "the very large majority of customers" have already installed.