Feeds

back to article Emergency alert system easily pwnable after epic ZOMBIE attack prank

Hardware powering the US Emergency Alert System can be easily tricked into broadcasting bogus apocalyptic warnings from afar, say experts. Researchers at computer security biz IOActive reckon they found private encryption keys within firmware updates for the devices; miscreants armed with this information could successfully …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Suprise!

Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

People need to give themselves a shake and stop using MS products!

0
26
Anonymous Coward

Re: Suprise!

The vulnerability is specific to Linux-powered application servers from two manufacturers,

Tell me again how this is an Issue with Microsoft?

17
4
Bronze badge
Joke

Re: Suprise!

It's because all the crap devs are still using MS products. Once they move to Linux we'll all be fucked.

(Joke icon, because I did RTFA.)

3
2
Silver badge

Re: Suprise!

Have you not noticed that AC always posts that exact text on any security story, regardless of the systems involved?

Either it's irony or some sort of negative astroturfing.

4
1
Silver badge

@dogged

Either it's irony or some sort of negative astroturfing.

Nope - it's Eadon, but hiding behind the cowl of anonymous

4
1
Silver badge
Holmes

Re: @dogged

More likely than String Theory.

0
1
Anonymous Coward

Re: @dogged

Not Eadon. It's a comment culled from an old MS security article from a number of years ago that I like to post on all security articles. (well, not all the MS ones....)

The point is that you can't just go "I use this vendor therefore I am secure". You have to secure stuff yourself or you are vulnerable.

(Eadon was Anti-MS, but even he didn't claim they were responsible for security flaws in Unix.....)

1
2
Silver badge

Re: @dogged

Eadon was Anti-MS, but even he didn't claim they were responsible for security flaws in Unix

Of course not. Eadon didn't admit to any security flaws EXISTING in Unix. Though I suspect that if you could get him to admit to one he'd somehow try to blame it on MS.

2
1
Bronze badge
Facepalm

Re: Suprise!

The vulnerability is specific to Linux-powered application servers from two manufacturers,

Tell me again how this is an Issue with Microsoft?

It isn't, of course ... but, equally, it isn't an issue with Linux. The problem seems to be that some fathead has decided to ship some software with private keys embedded in it in the clear.

It just happens that the software in question uses Linux ... the stupid error that leads to the vulnerability would be a stupid error and lead to a vulnerability on any system.

4
1
Meh

Re: Suprise!

excellent troll , about 10 indignant replies harvested!

1
1
Silver badge
Trollface

Re: Suprise!

FISSION ACCOMPLISHED!

0
1
Windows

Re: @dogged

Any security flaws in Linux are obviously MS's fault - after all, they are a top contributor to the kernel (in 2011). Therefore, any problems since then originate in Redmond.

0
0
Bronze badge

Design

Surely system security is built into the design at the very first stage and kept in focus with every development, isn't it?

Or is there a higher priority? Maybe it has a really nice logo.

1
0
Bronze badge
FAIL

Re: Design

Or is there a higher priority?

Of course there is - fatter executive bonuses.

0
0
Anonymous Coward

It's not really about Linux either - it's about appallingly bad security practice.

15
0
Gold badge
Thumb Up

OMG I did not realize you can change the *message* remotely as well as start it up.

The possibilities are limited only by imagination and logistics.

"Zombie apocalypse" warning in Montana, many not fooled.

"Zombie apocalypse" warning everywhere (in US) the Lulze could be huge before anyone actually realizes that it defies all known laws of physics.

Thumbs up for this damm good prank and exposing yet another security hole in this web of stuff that's supposed to "protect" Americans.

7
1
Silver badge
Paris Hilton

Re: OMG I did not realize you can change the *message* remotely as well as start it up.

How does a Zombie Apocalypse everywhere on the Homeland defy all known laws of physics?

0
0
Silver badge

Re: OMG I did not realize you can change the *message* remotely as well as start it up.

...defies all known laws of physics.

I think you mean all known laws of biology. There's no law of physics that would prevent a corpse from being reanimated. Shuffling around moaning for brains might be a bit of a stretch, but I suspect they could do a music video with Michael Jackson.

1
0
Silver badge
Happy

Re: OMG I did not realize you can change the *message* remotely as well as start it up.

No. Laws of physics, because, as the number of humans with brains asymptotes to zero it will be found that the number of brainless people outnumbers the zombies by an order of magnitude. Thus, no apocalypse.

P.S. I've waited so many years for the chance to use 'asymptote' I feel so... so... god-like!

0
0
Silver badge

Re: OMG I did not realize you can change the *message* remotely as well as start it up.

Our american brethren would do well to watch the film "Brazil"

0
0

"According to the US CERT, a fixed version of the firmware is available that allows users to change their login keys, and should be applied to critical devices, but probably won't be."

There. Fixed it for you.

0
0

Or rather it will once it has gone through the proper change control process - for security!

0
0
Silver badge

But they will still set the password as 1234

1
0
WTF?

Public / Private keys

Not sure what's happening here, I would have thought the firmware would only need the PUBLIC key for SSH logins. Certainly if the PRIVATE key is also embedded then that's a major cockup as the firmware does not need to know this, indeed that's the whole point.

3
0
Silver badge
Pint

Re: Public / Private keys

that_is_the_point.jpg

1
0
Silver badge

Re: Public / Private keys

They forgot to encrypt the private key - doh!

2
0
Silver badge
Boffin

Re: Public / Private keys @Bluewhelk

Yes, indeed that's the point. Some lazy admins have been known to run the following commands:

# ssh-keygen

(generate passwordless key)

# cat .ssh/id_rsa.pub > .ssh/authorized_keys

then they copy around the .ssh/id_rsa file. Now if this were the case with said firmware, it means that anyone getting their hands on the firmware gets the id_rsa key, and said key has access to the box. With no password.

Not sure if this is the case, but I wouldn't be surprised if it was...

0
0
FAIL

Re: Public / Private keys

It sounds like the private keys were embedded in the update tool so the update utility could get a root login. So much easier than doing it right and having a proper code signing system. Sigh.

0
0
Mushroom

And all they wanted

was a nice game of chess.

1
0
Silver badge
Alien

Where is Orson Welles when we need him?

The Martians are invading! The Martians are invading!

1
0
Anonymous Coward

So what you're saying, is that you're not meant to...

.....HIDE your secrets in plain-sight, then?

obviously the spooks have it wrong then!

0
0
Bronze badge

the great thing about open source is that all the code is out in the open which makes it so secure, much better than proprietary, closed source stuff, blah, blah, blah....

ohhh.....

Let Eadon back on to defend the almighty Linux!

0
4
Silver badge
Facepalm

Missing the point

The image has a private SSH key on the open that has access to the accounts. It would be like having the official Windows Server release have 'password' as the default Administrator account password on it.

1
0
Anonymous Coward

V - for Vulnerability

A/C for Icon

0
0
Silver badge

Are they *sure* the zombie alert was a prank?

Is it just me, or has anyone else noticed there's been nothing else heard from Montana since then?

1
0
Anonymous Coward

Question for all...

Does anyone listen to radio these days? What with all the cell phones and texting, maybe there should be an "alert all cell phones" in specific geographical areas as well.

Of course with the lax security that others have shown, it would be a wonderful prank to edit the presidents voice to say something like "We have just exploded a Nuclear Bomb over Iran, the world is now safe" or some such (note to law enforcement: this is a joke/satire don't arrest me!).

Anonymous for obvious reasons

0
0

Re: Question for all...

Already is. You can lucky disable most of them except for "Presidential Alerts".

On my phone the list is:

Presidential

Extreme

Severe

Amber

0
0
Gold badge

Re: Question for all...

"Does anyone listen to radio these days? What with all the cell phones and texting, maybe there should be an "alert all cell phones" in specific geographical areas as well."

There is. While under development it was called CMAS or PLAN depending on which agency you talked too (Commercial Mobile Alert System or Personal Localized Alerting Network.) It is now called WEA (Wireless Emergency Alerts.) These are available nationwide in the US, and phones started supporting reception of these alerts within the last several years. Several non-supporting models have also received firmware updates to support them (both my previous Motorola Droid 2 Global and current Samsung Stratosphere did not support these, then they did after a firmware update. These both have 2.3.x with WEA added on, I think Android 4.x supports WEA stock.)

This system uses broadcast texts and a minor modification to the stock messaging app so it alerts on receipt of a message, subject to user control. It has options for "CMAS Test messages", AMBER alerts (this is for child abductions), "Severe alerts" (this is ordinarily severe thunderstorm or tornado warnings around here), "extereme alerts" (typically around here this means a tornado is on the ground), and "presidential alerts" (the nukes are on the way I suppose?) Presidential alerts cannot be disabled* while all others can be.

(An example message:

06/24/2013 2:36PM

From: #CMAS#Extreme

Tornado Warning in this area til 3:00 PM CDT. Take shelter now. Check local media. -NWS

)

*...Through the menu. If I set Handcent up to take over as "Default messaing application" for SMS and MMS, the stock app fails to alert, just the usual text messaging ding from handcent.

0
0
Mushroom

Re: Question for all...

The Presidental Alert does indeed mean "the nukes are on the way". It's a bit of a relic of the Cold War, and has never actually been used in practice in any of its forms. (Not even on September 11, 2001.)

0
0

The station's call letters are KRTV - it's my local CBS affiliate. A similar message was broadcast in Michigan and New Mexico, it played on a radio station, too, if I remember right. Freaked some people out.

0
0
This topic is closed for new posts.