NO JOKE —

We interrupt this program to warn the Emergency Alert System is hackable

Publicly available SSH key makes it possible to hijack nation's warning system.

We interrupt this program to warn the Emergency Alert System is hackable

The US Emergency Alert System, which interrupts live TV and radio broadcasts with information about national emergencies in progress, is vulnerable to attacks that allow hackers to remotely disseminate bogus reports and tamper with gear, security researchers warned.

The remote takeover vulnerability, which was fixed in an update issued in April, affected the DASDEC-I and DASDEC-II application servers made by a company called Digital Alert Systems. It stems from a recent firmware update that mistakenly included the private secure shell (SSH) key, according to an advisory published Monday by researchers from security firm IOActive. Administrators use such keys to remotely log in to a server to gain unfettered "root" access. The publication of the key makes it trivial for hackers to gain unauthorized access on Digital Alert System appliances that run default settings on older firmware.

"An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," the IOActive advisory warned. "In addition, depending on the configuration of this and other devices, these messages could be forwarded and mirrored by other DASDEC systems."

Other advisories warning of the vulnerability were published here and here by the Industry Control Systems Cyber Emergency Response Team and the US CERT. The US CERT advisory, which also warns against vulnerabilities in the One-Net E189 Emergency Alert System device sold by Digital Alert Systems' parent company Monroe Electronics, was published two weeks ago.

The warnings come five months after hackers took over the emergency alert system of a Montana TV station and broadcast a bogus emergency bulletin warning TV viewers of an imminent zombie apocalypse. Devices used by stations in Michigan, California, Tennessee, and New Mexico were also reportedly commandeered. "Civil authorities in your area have reported that the bodies of the dead are rising from the grave and attacking the living," at least one of the prank messages said. The advisories from IOActive and the CERT groups didn't say if the February attacks were carried out by exploiting the SSH key vulnerability.

The Emergency Alerting System is designed to enable the US president to deliver speeches to the entire country within 10 minutes of a disaster occurring. Application servers such as the DASDEC-I and DASDEC-II interrupt regular programming broadcast by TV and radio stations and relay an emergency message, which is preceded and followed by alert tones. In addition to tampering with the delivery of legitimate emergency messages, attackers who use the SSH key to log in to vulnerable systems could make unauthorized changes to the server and glean potentially sensitive configure information that could lead to additional hacks.

Stations that use vulnerable gear should upgrade to version 2.0-2, which is available by sending an e-mail to support@digitalalertsystems.com.

Update on July 12, 2013: A Monroe Electronics representative said the vulnerability played no role in the bogus Zombie apocalypse warnings. The representative also said he was "pretty sure" no Tennessee stations were affected by the fake warnings. This article has been updated in the second paragraph to make clear the vulnerability was fixed in April.

Channel Ars Technica