Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Privacy Software Technology

7 Years Later, Emergency Alert Systems Still Unpatched, Vulnerable (securityledger.com) 24

Posted by BeauHD from the better-late-than-never dept.
chicksdaddy writes: The Security Ledger is reporting that more than 50 Emergency Alert System (EAS) devices made by Monroe Electronics (now Digital Alert Systems) are un-patched and accessible from the public Internet, seven years after security researchers alerted the public about security flaws in the devices. More than 50 EAS deployments across the United States still use a shared SSH key, a security vulnerability first discovered and reported by IOActive in 2013, according to a warning posted by the security researcher Shawn Merdinger on January 19, seven years after the initial vulnerability report was issued.

Security Ledger viewed the exposed web interfaces for Monroe/Digital Alerts Systems EAS hardware used by two FM broadcasters in Texas and an exposed EAS belonging to a broadband cable provider in North Carolina. Also publicly accessible: EAS systems for two stations (FM and AM) serving the Island of Hawaii. Residents there received a false EAS alert about an incoming ICBM in 2018. That incident was found to be the result of human error but prompted the FCC to issue new guidance about securing EAS systems. Digital Alert Systems said it is aware of the problem and is contacting the customers whose gear is exposed. However, a search using the Shodan search engine suggests that few have taken steps to remove their EAS systems from the public Internet in the past week. Security Ledger is withholding the names of the broadcasters whose EAS systems were exposed for security reasons. None of the stations contacted for the story was able to provide comment prior to publication.
This discussion has been archived. No new comments can be posted.

7 Years Later, Emergency Alert Systems Still Unpatched, Vulnerable More

7 Years Later, Emergency Alert Systems Still Unpatched, Vulnerable

Comments Filter:

  • Danger to all viewers... (Score:3)

    by The New Guy 2.0 ( 3497907 ) on Tuesday January 28, 2020 @11:49PM (#59666692)

    EAS is the interruption protocol that replaced EAS allowing takeover of an unmanned station (AM, FM or TV) by another in the event of an "emergency" situation. This is the series of modem tones you hear when they test it. The problem is there's not enough security or authentication to verify who's broadcasting, so nearly any program can be superimposed on any station with the takeover of just one. This should be unplugged.

    • Re:Danger to all viewers... (Score:4, Insightful)

      by dgatwood ( 11270 ) on Wednesday January 29, 2020 @12:14AM (#59666734) Homepage Journal

      Somehow, I feel like if somebody finds a way to send out zombie attack warnings on a daily basis for a week, the problem will take care of itself.

      • Indeed, they'd track the person down and arrest them in less time than that. "Problem solved."

        No. Not that easy.

        • Re: (Score:2)

          by dgatwood ( 11270 )

          Indeed, they'd track the person down and arrest them in less time than that. "Problem solved."

          Only if that person is foolish enough to mess with the same station twice and doesn't use adequate layers of VPN to mask the source of the attack.

          • No. This would not just be the FBI investigating, they would have tips from the NSA, DIA, etc.

          • Adequate layers of VPN? Tell me. How many layers in your opinion are adequate?

            • Re: (Score:2)

              by Mashiki ( 184564 )

              One. You only need a VPN that's been court tested to keep no logs.

              • Got a reference?

              • Re: (Score:2)

                by tlhIngan ( 30335 )

                One. You only need a VPN that's been court tested to keep no logs.

                They all keep logs.

                They have to - because you're only allowed a limited number of connections to their service. So they have to log your connection.

                Now, they can destroy that log entry the moment you log out, so you should continuously be making and breaking the VPN connection. And you should also rotate which servers you use - choosing to use ones where there is at least another person on it at the same time which mixes your traffic in with

        • The EAS is like an emergency stop button on a train or near heavy machinery, it's meant to be easy to activate even if that leads to FPs. Having a real emergency that no-one can be notified about because no-one can find the post-it note with the 65-character SSH password is far worse than the risk of some prankster posting a zombie alert once a blue moon.

          • It is a good argument, but freaking people out when it misfires seems to be the only real-world use so far.

            It was put in place to warn people in the event of a nuclear war, because the leaders are Deists and they want to have time to pray before we all die.

            • Yeah, good point. You really need a user-tunable setting, like in an IDS, where you can choose to filter out all the noise, so on a sliding scale of "One of the Kardashians just sneezed" through to "NUCLEAR WAR IS ACTUALLY STARTING RIGHT NOW, THAT STREAK IN THE SKY IS THE INCOMING WARHEAD" I'd set it more towards the latter than the former.

              I live outside the US where luckily the govt. is a bit more sensible, so far I've only ever had one alert which was a tsunami warning, that's about the level of severi

              • That's exactly what I do when it goes off. I step outside and look at the sky to see if I'm about to die. So far, not. But I've never been happy to hear the damn thing.

                Now, the one they broadcast on weather band radio, that one is really useful, I bring it with me when I visit the coast and if there is a high wind warning, it tells me. And if that big tsunami ever happens, the first alerts are going to be on the weather radio, not the other one.

  • The Hawaii missile alert in 2018 had nothing to do with any vulnerabilities that need to be patched.  It was because the console operator didn't know what he was doing.  (It may be considered resolved after they fired the person.)

    It should not have been in the article.

  • This article is symptomatic of the state of affair in public debate.

    The problem is that we have a lot of doomsday machines which can be triggered inadvertently or through actions of escalation where aggressive actors lose control of the situation.

    The major culprit is the US who is constantly playing russian roulette while at the same time adding bullets to the revolver. Dan Ellsberg understands that and he understands the US is constantly playing russian roulette with the planet. I'd say more, if you hear s

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close