7 Years Later, Emergency Alert Systems Still Unpatched, Vulnerable
chicksdaddy writes: The Security Ledger is reporting that greater than 50 Emergency Alert System (EAS) units made by Monroe Electronics (now Digital Alert Systems) are un-patched and accessible from the general public Internet, seven years after safety researchers alerted the general public about safety flaws within the units. More than 50 EAS deployments throughout the United States nonetheless use a shared SSH key, a safety vulnerability first found and reported by IOActive in 2013, in line with a warning posted by the safety researcher Shawn Merdinger on January 19, seven years after the preliminary vulnerability report was issued.
Security Ledger considered the uncovered internet interfaces for Monroe/Digital Alerts Systems EAS utilized by two FM broadcasters in Texas and an uncovered EAS belonging to a broadband cable supplier in North Carolina. Also publicly accessible: EAS programs for 2 stations (FM and AM) serving the Island of Hawaii. Residents there acquired a false EAS alert about an incoming ICBM in 2018. That incident was discovered to be the results of human error however prompted the FCC to situation new steerage about securing EAS programs. Digital Alert Systems stated it’s conscious of the issue and is contacting the purchasers whose gear is uncovered. However, a search utilizing the Shodan search engine means that few have taken steps to take away their EAS programs from the general public Internet previously week. Security Ledger is withholding the names of the broadcasters whose EAS programs had been uncovered for safety causes. None of the stations contacted for the story was capable of present remark previous to publication.