More than three months ago, a researcher from IOActive published details of some serious problems he’d found with equipment used to run the Emergency Alert System, which is used to send out notifications in the case of a natural disaster or other serious situation. The researcher notified the equipment manufacturers affected by the bugs, one of which could enable an attacker to send out a fake alert, and the vendors updated their software. However, it appears that those fixes didn’t actually solve the problems.
Mike Davis of IOActive, found several problems with EAS equipment, the most worrying of which is the existence of a compromised, publicly known SSH root key for Monroe Electronics R189 One-Net/R189SE One-NetSE EAS devices. An attacker with knowledge of the SSH key could log into one of the devices with root privileges and send out a false alert, among other potential actions. Davis reported this bug, along with several others, through the CERT in January, and the organization worked with the affected vendors to produce patches, which were ready by the end of June. Davis published details of his research in early July, and since then he’s been looking at some of the patched devices on the Internet and discovered that many, if not most, are still vulnerable.
“In addition to not removing the exposed keys, it didn’t appear that anyone even tried to review or audit any other aspect of the DASDEC security before pushing the update out. If someone told you that you had a shared SSH key for root you might say… check the root password wasn’t the same for every box too right? Yeah… you’d think so wouldn’t you!” Davis said in a blog post.
“After discovering that most of the ‘patched’ servers running 2.0-2 were still vulnerable to the exposed SSH key I decided to dig deeper in to the newly issued security patch and discovered another series of flaws which exposed more credentials (allowing unauthenticated alerts) along with a mixed bag of predictable and hardcoded keys and passwords. Oh, and that there are web accessible back-ups containing credentials.”
IOActive has been working with CERT again, which has, in turn, been in contact with Monroe Electronics about the issue. However, Davis said that the issue seems to be more of a marketing one for the company than a security one, a not-uncommon issue with some vendors who are unused to dealing with security researchers and public disclosure of vulnerabilities. Davis, in his post about the still-vulnerable EAS equipment, said that it doesn’t appear that the vendor will fix the problems anytime soon.
“Upon our last contact with CERT we were informed that ‘[t]hese findings are entering the realms of ‘not terribly serious’ and ‘not something the vendor can practically do much about’,” Davis said.
“Let’s not forget that the EAS is a critical national infrastructure component designed to save lives in an emergency. Ten months on and the entire system appears more vulnerable than when we began pointing out the vulnerabilities.”
Image from Flickr photos of Aaron Parecki.