14 DAY TRIAL // Monroe Electronics, a US company that develops and distributes electrostatic measuring instruments, has inadvertently included a private SSH key into the publicly available firmware for DASDEC-I and DASDEC-II emergency alert system (EAS) encoder/decoder devices.
Cybercriminals could use the exposed SSH key to gain root access to the devices – which are primarily used in the United States for emergency alert systems by radios and televisions.
According to the advisory from IOActive, the company that identified the issue, an attacker can use the SSH key to remotely log in as “root” to the impacted devices and manipulate any system function.
A report published by Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reveals that there are no known public exploits designed to specifically target this vulnerability.
In addition, Monroe Electronics has released an update to address the issue. ICS-CERT advises organizations that use DASDEC to apply the DASDEC v2.0-2 software update.
Jeff Hudson, CEO of encryption key and digital certificate management provider Venafi, has told Softpedia that this recent incident once again highlights the fact that compromised cryptographic keys and digital certificates can affect both human lives and organizations.
“In this case, the failure of Monroe Electronics to protect and secure the SSH keys used in emergency systems alert of life-threatening situations provides cybercriminals an open door to remotely access and compromise those vital tools,” Hudson said.
“The world is becoming more digitally dependent every day, and organizations failure to establish control of trust instruments that secure communications and transactions is just plain poor business. As recent cyberattacks demonstrate, certificates and keys have become the attack vector of choice,” he added.
“Making matters worse, Global 2000 organizations have an average of 17,807 keys and certificates, yet over 50 percent don’t know how many of these trust tools their organization currently uses, according to new Ponemon Research,” Hudson explained.
“Failure to protect and secure keys and certificates makes today's organizations vulnerable at the most fundamental level, endangering their networks, customers, brands and, in the end, their very existence.”