July 11, 2013
IOActive, the corporation that controls interception of emergency messages (EAS) by interrupting broadcasts to transmit those messages, a.k.a. DASDEC, has become susceptible to hacker attacks.
Mike Davis, research scientist at IOActive stated : “These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function.”
Davis calls attention to the fact that “re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”
According to the report: “An attacker who gains control of one or more DASDEC systems can disrupt these stations’ ability to transmit and could disseminate false emergency information over a large geographic area. In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems.”
Earlier this year, Monroe Electronic, producer of DASDEC, relayed that they have resoled “potential security vulnerabilities and improve[d] several operational features” for the EAS.
The Department of Homeland Security (DHS) reviewed the IOActive report and commented that: “IOActive reports that the administrative web server uses a predictable, monotonically increasing session ID. This finding is based on running the web server in a test environment. Testing on a variety of firmware versions on devices both at the factory and in the field, Monroe Electronics could not reproduce this finding.”
This report comes after hackers were able to take over a Montana TV station and broadcast EAS false reports about a pending zombie attack.
The fake warning stated: “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living.”
Davis commented: “Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network’s regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is. These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”
Earlier this year, the EAS was beta-tested for the National Warning System (NWS) as outlined by the Federal Emergency Management Agency (FEMA).
This federal version allows the Obama administration to interrupt broadcasts to relay important information in the event of a “grave emergency”.
Although this technology has not been tested, Twitter and email alerts have proven effective in lessening the complication during a crisis.
In 2010, the National Association of Broadcasters (NAB) tried to coerce Congress to require that all Americans purchase an FM radio.
These radios would be equipped with a microchip that could control the device; turning it on and off and automatically broadcasting Obama’s messages to every American.