A security group which shed light in July on the vulnerabilities hackers exploited to compromise the national Emergency Alert System (EAS) announced Thursday that those weaknesses are still present, despite a patch having been issued.
“The patch was to specifically address the vulnerabilities in [US-CERT's] VU#662676 – specifically time-based passwords, exposed SSH keys being the most serious,” Mike Davis, principal research scientist at IOActive, a security service provider, told SCMagazine.com on Friday.
The patch was designed so exposed SSH keys would be removed and user-generated passwords would be corrected, Davis said, but the researcher explained that did not end up being the case and that most patched systems are still vulnerable.
“After discovering that most of the patched servers running 2.0-2 were still vulnerable to the exposed SSH key, I decided to dig deeper into the newly issued security patch and discovered another series of flaws which exposed more credentials (allowing unauthenticated alerts) along with a mixed bag of predictable and hard-coded keys and passwords,” Davis said in a Thursday post.
There are web accessible back-ups containing credentials also available, the researcher added. “Even new features introduced to the 2.0-2 version since I first looked at the technology appeared to contain a new batch of hard-coded (in their configuration) credentials.”
A few months ago, Davis discovered that the root privileged SSH key for DASDEC-1 and DASDEC-II – a digital emergency alerting and messaging technology made by Digital Alert Systems and used in the EAS – and perhaps other Linux-based hardware too was vulnerable, allowing attackers to manipulate the system by logging in using the default password “Root” to a DASDEC device.
What that allowed hackers to do in February was broadcast zombie outbreak messages to viewers of four stations in Michigan and Montana, warning them of “dead bodies rising from the grave and attacking the living.”
At the time, the station manager of affected Michigan stations WBUP (ABC-10) and WBKP (CW-5) confirmed the zombie alert incident was caused by hackers.
When asked how this vulnerability allows an attacker to compromise the system, Davis said, “The attacker logs into the server using the hard-coded root password, or using the root SSH key, and issues an alert using the software. Alternatively, an attacker can just create credentials for himself and login using the web interface as any other authorized DASDEC user.”