How Vulnerable Is The Emergency Alert System?

I'm sure by now everyone has heard about the Emergency Alert System "Zombie Attack" incident. IOActive even released a security advisory about the vulnerabilities with DASDEC Emergency Alert System digital alert systems. However, the incident raises further concerns, such as "who in their right mind hooked up the Emergency Alert System to the Internet in the first place?"

If someone wanted to hack the Emergency Alert System, first they would need to know what hardware/software is out there. (Un)fortunately the FCC has already done part of this research and published a vendor list.

I started looking at the approved companies, and quickly became horrified by what I found.

Looking at the DASDEC (the system with the original vulnerability), I quickly found the system's manual.

Just glancing through the manual, I immediately found a screenshot showing the full URL used to access the DASDEC web interface. This can easily be used to generate a Google dork.

DASDEC II Login Screen (from user manual)
Below the screenshot, the default login of "Admin/dasdec" is ever so conveniently displayed.

Hopefully, DASDEC is the exception to the rule, and none of the other EAS systems are so easily accessible...right?

The next system I looked at was EASyCAP from Trilithic. Trilithic also makes their manuals available online.

Sure enough, checking the EASyCAP manual, this product too has a web interface. This interface also has a default username and password.

EASyCAP User Account Interface (from user manual)

Trilithic also provides the URL for their service, making a Google dork easy as well.

EASyCAP Access Instructions (from user manual)

The third EAS system I picked to examine is the SAGE ENDEC, which also has a manual available online.

Sure enough, this EAS system also has a web interface, and can be accessed using the default login of "Administrator/1111".

Looking through the feature list of other EAS systems on the FCC's list, it appears that every single EAS can be accessed using a web browser. This is quite honestly frightening.

Something important to note here is that I've never used the Emergency Alert System, ever. I've never heard of any of these systems until I started researching today. And yet, within a couple hours, I already know that all of the systems can be accessed over a web browser, by using publicly available data. Any systems which are publicly accessible over the internet are most likely very lax in security, and administrators may not even know they're publicly accessible.

At this point, I'm speechless. How could a system which is so critical to emergency communications in the United States be so vulnerable? Did no one blink an eye at the security implications of having the Emergency Alert System controllable by a web browser?

To mitigate the possibilities of someone accessing the Emergency Alert System, network administrators should immediately verify that their EAS equipment is not accessible over the public internet by reviewing their firewall rules.

I suspect this post may generate some high traffic, so if you'd like to contact me directly about it for some reason please email:
caffsecblog <at> gmail <dot> com.

No comments:

Post a Comment