14 DAY TRIAL // IOActive researcher Mike Davis warns that the patches rolled out by Monroe Electronics to address security holes in DASDEC-I and DASDEC-II emergency alert systems (EAS) have made the devices even more vulnerable than they were before.
Back in July, Davis warned that the company had inadvertently included a private SSH key into the publicly available firmware, thus exposing the devices to cyberattacks. Monroe Electronics rolled out the 2-0-2 patch and it was deployed on many of the impacted appliances.
However, the expert has found that the patch is not effective. Furthermore, it makes the devices even more vulnerable than they were before. The IOActive researcher says Monroe Electronics has handled the situation more like a “marketing problem” than a security issue.
“After discovering that most of the “patched” servers running 2.0-2 were still vulnerable to the exposed SSH key I decided to dig deeper in to the newly issued security patch and discovered another series of flaws which exposed more credentials (allowing unauthenticated alerts) along with a mixed bag of predictable and hardcoded keys and passwords,” Davis noted.
“Oh, and that there are web accessible back-ups containing credentials. Even new features introduced to the 2.0-2 version since I first looked at the technology appeared to contain a new batch of hardcoded (in their configuration) credentials,” he added.
In early 2013, hackers hijacked the emergency alert systems of a Montana TV station and issued a zombie warning. Since then, experts have urged manufacturers on numerous occasions to make sure that EAS systems are properly secured.
However, as Davis points out, ten months after experts began pointing out the flaws, the systems are more vulnerable than they were at first.
Unfortunately, IOActive has been told that their findings are “not terribly serious” and that there’s not much the vendor can do to address the security holes.