Backdoor in US emergency alert systems
Source: Digital Alert Systems
The US-CERT, which is part of the US Department of Homeland Security, warns that security-critical vulnerabilities in US emergency alert systems potentially allow attackers to switch off the systems or misuse them to broadcast arbitrary emergency alerts. The Linux systems are used at TV and radio stations in the US and enable the US government to interrupt ongoing broadcasts when there is an emergency. This is designed to allow the US president to address the nation within ten minutes.
Security researchers at IOActive discovered that publicly available firmware updates for emergency alert systems by Digital Alert Systems and Monroe Electronics include SSH keys that enable remote attackers to log in as root. The US-CERT's advisory also mentions other vulnerabilities that affect the generation of passwords and session IDs or provide access to log files that could potentially contain sensitive information. Applying firmware updates will resolve the issues.
The researchers also discovered that the systems offer default passwords. If a broadcaster doesn't change this password before launching the emergency alert system, potential attackers can easily take control of the system. In early 2013, unknown attackers managed to remotely control the KRTV and Public TV 13 stations this way. The intruders took the opportunity to inform the nation of the imminent beginning of the zombie apocalypse.
(djwm)