Vulnerabilities Uncovered in U.S. Emergency Alerting System

Is the U.S. in danger of a zombie apocalypse? Doubtful, but vulnerabilities in the U.S. Emergency Alerting System could convince us otherwise.

The U.S. Emergency Alerting System (EAS) is designed to allow for quick alerts during an emergency, but vulnerabilities in the digital alerting systems could allow an attacker to log on over the Internet and manipulate system functions, either disrupting a TV or radio station’s ability to transmit a message or disseminate false emergency information.

Researchers at IOActive, Inc., announced that they had discovered the vulnerabilities in the EAS, noting that the primary vulnerabilities are in the digital alerting systems – DASDEC – application servers (which receive and authenticate EAS messages), according to an IOActive press release.

An early example of this was last year’s intrusion on the Montana Television Network, when regular programming was interrupted by news of a zombie apocalypse, says principal research scientist Mike Davis. You can see a video of the hacked programming here.

“These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on in over the Internet and can manipulate any system function. For example, they could disrupt a station's ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances,” he says in the release.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?