Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

This Is Not a Test: Emergency Broadcast Systems Proved Hackable

From: InfoSec News <alerts () infosecnews org>
Date: Tue, 9 Jul 2013 08:08:08 +0000 (UTC)
http://www.wired.com/threatlevel/2013/07/eas-holes/

By Kim Zetter
Threat Level
Wired.com
07.08.13
Several models of Emergency Alert System decoders, used to break into TV and radio broadcasts to announce public safety warnings, have vulnerabilities that would allow hackers to hijack them and deliver fake messages to the public, according to an announcement by a security firm on Monday.
The vulnerabilities included a private root SSH key that was distributed in publicly available firmware images that would have allowed an attacker with SSH access to a device to log in with root privileges and issue fake alerts or disable the system.
IOActive principal research scientist Mike Davis uncovered the vulnerabilities in the application servers of two digital alerting systems known as DASDEC-I and DASDEC-II. The servers are responsible for receiving and authenticating emergency alert messages.
"These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package," Davis said in a statement. "This key allows an attacker to remotely log on in over the Internet and can manipulate any system function." 

[...]



--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/
Previous By Date Next
Previous By Thread Next

Current thread: