There are a set of easily exploited vulnerabilities in the appliances used in the emergency alert system (EAS) that could be used by attackers to log in to these boxes remotely and send fake emergency alerts like the one that interrupted a TV broadcast in Montana on Monday. The vulnerabilities include authentication bypasses and other bugs that a researcher says can be used to compromise the ENDEC machines that are responsible for sending out alerts over the EAS on TV and radio.
On Monday, attackers were able to get access to an ENDEC machine at a TV station in Great Falls, Mont., and send out a fake emergency alert that warned of an ongoing zombie apocalypse. Reports suggest that attackers also went after ENDECs at other TV stations, as well. It’s not clear what bugs the attackers were exploiting in those machines, but Mike Davis, principal research scientist at security firm IOActive, said that he found some vulnerabilities in ENDECs made by popular manufacturers that could enable an attacker to do exactly what the Montana hackers did.
The problems lie in the firmware loaded on the ENDECs. These machines are designed to receive encoded messages from the EAS, decode and authenticate them and then broadcast them over the air. The system is designed to be automated and it has to sit on a network, rather than as a standalone box in a station. Many of these boxes are discoverable on the Internet, Davis said, which makes them available to attackers. Davis said that he spent a few hours one day looking at the firmware on these devices, as a sideline from another research project, and found a number of vulnerabilities, the most serious of which allowed him to log in remotely to an ENDEC and insert a message that would be broadcast over the EAS.
“There is some really, really, terrible software on the other side of that box,” Davis said. “There are some known issues like authentication bypasses and what I would call back doors, although I don’t know if they were meant that way. While I can’t provide authenticated messages [from the EAS system itself], I can log into all of them and insert authenticated messages.”
Davis is not identifying the manufacturers of the vulnerable products because the bugs have not been fixed.
The EAS system uses the Common Alerting Protocol (CAP), an XML-based protocol that sends messages out continuously to ENDECs during an emergency. The protocol has a few features, including the ability for users to send messages that are location-specific so that emergencies in one area don’t generate alerts that overlap into unaffected areas. Davis said that CAP, unlike the protocol used on the older Emergency Broadcast System, has a cryptographic authentication mechanism, but it isn’t sufficient.
“It does have some cryptographic, but it’s not very strongly authenticated,” he said. “Some boxes have secondary authentication.”
The problems that Davis found represent a serious weakness in the EAS system. Some of the ENDECs are networked together in a way that enables them to relay messages to one another, so an attacker who could compromise one could conceivably cause problems on others, as well. Davis reported the vulnerabilities to US-CERT about a month ago and he said that some manufacturers of ENDECs have pulled some of the faulty firmware off the market.