Global PR Manager, IOActive, Inc.
T: +1 206 462 2291Press Release
IOActive Uncovers Vulnerabilities in United States Emergency Alerting System
Digital Alerting Systems DASDEC application servers found to be vulnerable to remote attack
Seattle, WA ― July 8, 2013 ― IOActive, Inc., a leading provider of application security, compliance and smart grid security services, today announced that is has discovered vulnerabilities in the Emergency Alerting System (EAS) which is widely used by TV and radio stations across the United States.
IOActive's principal research scientist, Mike Davis, uncovered the vulnerabilities in the digital alerting systems - DASDEC - application servers. The DASDEC receives and authenticates EAS messages. Once a station receives and authenticates the message, the DASDEC interrupts the broadcast and overlays the message onto the broadcast with the alert tone containing some information about the event. The affected devices are the DASDEC-I and DASDEC-II appliances.
“Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,” said Mike Davis, principal research scientist for IOActive. “These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station's ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”
The EAS is designed to enable to the President of the United States to speak to US citizens within 10-minutes of a disaster occurring. In the past these alerts were passed from station to station using the Associate Press (AP) or United Press International (UPI) “wire services” which connected to television and radio stations around the US. Whenever the station received an authenticated Emergency Action Notification (EAN), the station would disrupt its current broadcast to deliver the message to the public. On Wednesday 26 June, the Cyber Emergency Response Team (CERT) published an advisory providing details of the vulnerability.
IOActive has also issued its own IOActive Labs Advisory outlining the affected products, the impact and the solution.
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specialisations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, healthcare, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com.