The problem, according to an IOActive security advisory, lies in the Monroe Electronics DASDEC-I and DASDEC-II servers used as part of the EAS system. These servers receive and authenticate EAS messages, and then interrupt the regular TV or radio broadcast to relay the emergency message to the people viewing or listening. The purpose is to allow emergency information to be relayed as widely and as rapidly as possible.
The servers are shipped with a default password. This is standard. But the problem here is that Monroe Electronics has effectively made the root SSH keys public knowledge. “These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package", explained IOActive principle research scientist Mike Davis.
The IOActive security advisory explains further: "The root privileged SSH key for the DASDEC-I and DASDEC-II appliances (and potentially other Linux-based hardware provided by DAS) is distributed as part of the DASDEC firmware. This key would allow an attacker to log in as Root over the Internet to a DASDEC device, and then manipulate any system function."
"They could disrupt a station’s ability to transmit and could disseminate false emergency information," added Davis, resulting in a second zombie apocalypse – or worse. Depending on the configuration of the attacked system and other DASDEC servers, the false message could potentially ripple out to other broadcasters.
These problems aren't limited to false messages. "Additionally," warns the IOActive advisory, "all logged information on a DASDEC server can be accessed by an unauthenticated user. Log access also allows an attacker to browse key directories, providing him with a wealth of information about the server, its administrators, its peering arrangement – and basic login/logout information."
The basic problem has been fixed by Monroe in a new software update, version 2.0-2, which includes "Removal of default SSH keys and a simplified user option to load new SSH keys", and "Changes to password handling, and other security enhancements."
Monroe believes that most of its customers have already obtained the new update. Now that details of the vulnerability have been made public, it is imperative that all DASDEC users do so. "Until a new image is obtained and installed," warns Michael Mimoso in Kaspersky Lab's ThreatPost, "users are urged to disable the compromised root SSH key immediately, especially if it is Web-enabled. DHS CERT said that if users are unable to replace the SSH root key, they should restrict access to trusted hosts and networks, and change all default passwords."
We don't want another zombie apocalypse.