Emergency Alert System Vulnerability Confirmation, Updates By Monroe Electronics
July 26, 2013

Monroe Electronics Offers Confirmation On EAS Vulnerability

Peter Suciu for redOrbit.com - Your Universe Online

Earlier this month news circulated that the United States Emergency Alert System (EAS), which can interrupt TV and radio programming with critical information about national emergencies, could have a critical flaw that would allow hackers to take control of the system. The service, which has long been trusted to deliver information during a crisis, reportedly had a vulnerability that could allow hackers to break into the system and even broadcast fake messages to the United States.

This was reported by security firm IOActive, and reportedly uncovered by IOActive's principal research scientist Mike Davis, who found that the affected devices are the DASDEC-I and DASDEC-II appliances.

However, Monroe Electronics, which provides the backend solution for digital alerting systems - DASDEC - application servers, reportedly had already been looking into the issue.

In April the company released a version 2.0-2 software update for the DASDEC and One-Net alert messaging systems. According to the company this was a significant update that was released to the customers on April 24 of this year. It was to resolve a potential security vulnerability and improve several specific operational features in the EAS, as well as Common Alert Protocol (CAP) products.

"A very critical fact omitted in researcher's report is that - several months ago - Monroe Electronics issued a software release with a cumulative security update that addressed these reported concerns," Ed Czarnecki, senior director of strategy, development and regulatory affairs, told RedOrbit via email. "The software update was issued in a soft release in March 2013, and then in a general release in April 2013. Our understanding is that most users had already implemented this update."

"A vulnerability with Monroe Electronics' product, DASDEC, was fixed about two months ago as part of a software update provided by the manufacturer," said Dan Watson, a spokesman for the Federal Emergency Management Agency (FEMA).

The upgrades and enhancements in version 2.0-2 for DASDEC and One-Net would remove default SSH keys and instead provide a simplified user option to load new SSH keys, Monroe Electronics noted in a PDF. The upgrade will also provide new password handling and provide enhanced functionality in several features in both systems.

While IOActive had suggested that it could a take a while for companies that are currently utilizing the equipment to apply the patches, Monroe Electronics has noted that most of its users have already obtained this update, but continues to encourage all DASDEC and R189 One-Net users that haven't implemented the update to do so.

"We undertook great efforts to provide a cumulative security update that removed all SSH keys, addressed password policy, and made other security enhancements," said Czarnecki. "We also made a committed effort to contacted our users directly with information about the nature of the concern, and the software mitigation, and the need to adhere to accepted network security practices."

FEMA handles oversight of the EAS, and confirmed the issue was fixed via a software update. The current EAS system replaced the iconic Emergency Broadcast System in 1997. That older system, which had been established in the 1960s during President John F. Kennedy's administration, had been designed to "enable the President of the United States to speak to the United States within 10 minutes" following an emergency.