Vulnerabilities Uncovered in U.S. Emergency Alerting System

July 12, 2013

Is the U.S. in danger of a zombie apocalypse? Doubtful, but vulnerabilities in the U.S. Emergency Alerting System could convince us otherwise.

The U.S. Emergency Alerting System (EAS) is designed to allow for quick alerts during an emergency, but vulnerabilities in the digital alerting systems could allow an attacker to log on over the Internet and manipulate system functions, either disrupting a TV or radio station’s ability to transmit a message or disseminate false emergency information.

Researchers at IOActive, Inc., announced that they had discovered the vulnerabilities in the EAS, noting that the primary vulnerabilities are in the digital alerting systems – DASDEC – application servers (which receive and authenticate EAS messages), according to an IOActive press release.

An early example of this was last year’s intrusion on the Montana Television Network, when regular programming was interrupted by news of a zombie apocalypse, says principal research scientist Mike Davis. You can see a video of the hacked programming here.

“These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station's ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances,” he says in the release.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.