Vulnerabilities of US Emergency Alert System exposed
The US Emergency Alert System has a serious vulnerability that may allow it to be hijacked by a remote attacker. The problem revolves around systems used to receive and authenticate emergency alert messages, and pertains to specific Linux-powered application servers from Digital Alert Systems.
According to Mike Davis, principal research scientist for IOActive, the flaw with the DASDEC-I and DASDEC-II gear from Digital Alert Systems centers on how they ship with their root privileged SSH key as part of the firmware update package.
Because the firmware is publicly downloadable, attackers are theoretically able to download and recover the SSH key.
The problem is serious because the recovered encryption key can be used to log into the devices over the Internet to disrupt the device or distribute false alerts. And because the system is automated, stations that receive and successfully authenticate the message using their DASDEC hardware will immediately interrupt their transmission and overlay the message.
According to Davis, resolving the issue entails re-engineering "the digital alerting system side and firmware updates to be pushed to all appliances." Presumably, a more sophisticated way of managing and updating the SSH key will also be beneficial.
For now, the US CERT says that a fixed version of the firmware (2.0-2) is now available, and it allows users to change the login keys.
- check out this article at The Register