Security Experts:

Connect with us

Hi, what are you looking for?



Root SSH Key Compromised in Emergency Alerting Systems

Digital Alert Systems From Monroe Electronics Contain a Known SSH Private Key and are Vulnerable to Remote Attack

Digital Alert Systems From Monroe Electronics Contain a Known SSH Private Key and are Vulnerable to Remote Attack

File this one among the stories that fell through the cracks due to the 4th of July holiday in the U.S. According to a July 3 advisory from the Department of Homeland Security’s ICS-CERT, the Root SSH Key for Monroe Electronics emergency alert systems has been compromised. 

The private SSH key used in firmware images prior to version 2.0-2 of Monroe’s DASDEC-I and DASDEC-II, which are emergency alert system (EAS) encoder/decoder devices used to broadcast EAS messages over digital and analog channels, has been compromised – though how it happened exactly remains a puzzle. 

Emergency Alerting System Can be HackedThe SSH key was hardcoded into the devices, which is bad form really. Most programmers avoid it, but those who use hard-coded crypto keys in their firmware often do so because they feel it is safer than using hard-coded passwords. In reality, this sense of security is a false one.

In the case of Monroe’s hardware, unless the default settings were altered during deployment, then the impacted systems are using a known key that enables remote access – meaning an attacker would have no problems accessing them if they are publically faced or if they’ve already compromised the network. 

The vulnerability was discovered by Mike Davis, a principal research scientist at IOActive

“Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network’s regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,” Davis said.

“These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package,” he continued. “This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information.”

Monroe told customers about the problem in April, but have remained silent with regards to how the compromise was brought to their attention. They did however; tell customers that passwords were no longer being hard coded and that changes to password handling were implemented as part of the patching process.

“The EAS is designed to enable the President of the United States to speak to US citizens within 10-minutes of a disaster occurring,” IOActive explained.  “In the past these alerts were passed from station to station using the Associate Press (AP) or United Press International (UPI) ‘wire services’ which connected to television and radio stations around the US. Whenever the station received an authenticated Emergency Action Notification (EAN), the station would disrupt its current broadcast to deliver the message to the public.”

According to an advisory from the company, most (but not all) of their customers have installed the updated firmware.  

“For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances,” Davis said.

Additional technical details on the vulnerabilities from IOActive are available here.

*Updated with revised headline, additional information from IO Active. Additional reporting by Mike Lennon

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.