Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Root SSH Key Compromised in Emergency Alerting Systems

Digital Alert Systems From Monroe Electronics Contain a Known SSH Private Key and are Vulnerable to Remote Attack

Digital Alert Systems From Monroe Electronics Contain a Known SSH Private Key and are Vulnerable to Remote Attack

File this one among the stories that fell through the cracks due to the 4th of July holiday in the U.S. According to a July 3 advisory from the Department of Homeland Security’s ICS-CERT, the Root SSH Key for Monroe Electronics emergency alert systems has been compromised. 

The private SSH key used in firmware images prior to version 2.0-2 of Monroe’s DASDEC-I and DASDEC-II, which are emergency alert system (EAS) encoder/decoder devices used to broadcast EAS messages over digital and analog channels, has been compromised – though how it happened exactly remains a puzzle. 

Emergency Alerting System Can be HackedThe SSH key was hardcoded into the devices, which is bad form really. Most programmers avoid it, but those who use hard-coded crypto keys in their firmware often do so because they feel it is safer than using hard-coded passwords. In reality, this sense of security is a false one.

In the case of Monroe’s hardware, unless the default settings were altered during deployment, then the impacted systems are using a known key that enables remote access – meaning an attacker would have no problems accessing them if they are publically faced or if they’ve already compromised the network. 

The vulnerability was discovered by Mike Davis, a principal research scientist at IOActive

“Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network’s regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,” Davis said.

“These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package,” he continued. “This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information.”

Monroe told customers about the problem in April, but have remained silent with regards to how the compromise was brought to their attention. They did however; tell customers that passwords were no longer being hard coded and that changes to password handling were implemented as part of the patching process.

Advertisement. Scroll to continue reading.

“The EAS is designed to enable the President of the United States to speak to US citizens within 10-minutes of a disaster occurring,” IOActive explained.  “In the past these alerts were passed from station to station using the Associate Press (AP) or United Press International (UPI) ‘wire services’ which connected to television and radio stations around the US. Whenever the station received an authenticated Emergency Action Notification (EAN), the station would disrupt its current broadcast to deliver the message to the public.”

According to an advisory from the company, most (but not all) of their customers have installed the updated firmware.  

“For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances,” Davis said.

Additional technical details on the vulnerabilities from IOActive are available here.

*Updated with revised headline, additional information from IO Active. Additional reporting by Mike Lennon

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.