back to article Emergency alert system easily pwnable after epic ZOMBIE attack prank

Hardware powering the US Emergency Alert System can be easily tricked into broadcasting bogus apocalyptic warnings from afar, say experts. Researchers at computer security biz IOActive reckon they found private encryption keys within firmware updates for the devices; miscreants armed with this information could successfully …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Suprise!

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    1. Anonymous Coward
      Anonymous Coward

      Re: Suprise!

      The vulnerability is specific to Linux-powered application servers from two manufacturers,

      Tell me again how this is an Issue with Microsoft?

      1. dogged

        Re: Suprise!

        Have you not noticed that AC always posts that exact text on any security story, regardless of the systems involved?

        Either it's irony or some sort of negative astroturfing.

        1. ukgnome

          @dogged

          Either it's irony or some sort of negative astroturfing.

          Nope - it's Eadon, but hiding behind the cowl of anonymous

          1. Destroy All Monsters Silver badge
            Holmes

            Re: @dogged

            More likely than String Theory.

          2. Anonymous Coward
            Anonymous Coward

            Re: @dogged

            Not Eadon. It's a comment culled from an old MS security article from a number of years ago that I like to post on all security articles. (well, not all the MS ones....)

            The point is that you can't just go "I use this vendor therefore I am secure". You have to secure stuff yourself or you are vulnerable.

            (Eadon was Anti-MS, but even he didn't claim they were responsible for security flaws in Unix.....)

            1. sisk

              Re: @dogged

              Eadon was Anti-MS, but even he didn't claim they were responsible for security flaws in Unix

              Of course not. Eadon didn't admit to any security flaws EXISTING in Unix. Though I suspect that if you could get him to admit to one he'd somehow try to blame it on MS.

              1. PeteA
                Windows

                Re: @dogged

                Any security flaws in Linux are obviously MS's fault - after all, they are a top contributor to the kernel (in 2011). Therefore, any problems since then originate in Redmond.

      2. dajames
        Facepalm

        Re: Suprise!

        The vulnerability is specific to Linux-powered application servers from two manufacturers,

        Tell me again how this is an Issue with Microsoft?

        It isn't, of course ... but, equally, it isn't an issue with Linux. The problem seems to be that some fathead has decided to ship some software with private keys embedded in it in the clear.

        It just happens that the software in question uses Linux ... the stupid error that leads to the vulnerability would be a stupid error and lead to a vulnerability on any system.

    2. Brewster's Angle Grinder Silver badge
      Joke

      Re: Suprise!

      It's because all the crap devs are still using MS products. Once they move to Linux we'll all be fucked.

      (Joke icon, because I did RTFA.)

    3. mark 63 Silver badge
      Meh

      Re: Suprise!

      excellent troll , about 10 indignant replies harvested!

      1. Destroy All Monsters Silver badge
        Trollface

        Re: Suprise!

        FISSION ACCOMPLISHED!

  2. Terry 6 Silver badge

    Design

    Surely system security is built into the design at the very first stage and kept in focus with every development, isn't it?

    Or is there a higher priority? Maybe it has a really nice logo.

    1. Fatman
      FAIL

      Re: Design

      Or is there a higher priority?

      Of course there is - fatter executive bonuses.

  3. Anonymous Coward
    Anonymous Coward

    It's not really about Linux either - it's about appallingly bad security practice.

  4. John Smith 19 Gold badge
    Thumb Up

    OMG I did not realize you can change the *message* remotely as well as start it up.

    The possibilities are limited only by imagination and logistics.

    "Zombie apocalypse" warning in Montana, many not fooled.

    "Zombie apocalypse" warning everywhere (in US) the Lulze could be huge before anyone actually realizes that it defies all known laws of physics.

    Thumbs up for this damm good prank and exposing yet another security hole in this web of stuff that's supposed to "protect" Americans.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: OMG I did not realize you can change the *message* remotely as well as start it up.

      How does a Zombie Apocalypse everywhere on the Homeland defy all known laws of physics?

    2. sisk

      Re: OMG I did not realize you can change the *message* remotely as well as start it up.

      ...defies all known laws of physics.

      I think you mean all known laws of biology. There's no law of physics that would prevent a corpse from being reanimated. Shuffling around moaning for brains might be a bit of a stretch, but I suspect they could do a music video with Michael Jackson.

      1. Will Godfrey Silver badge
        Happy

        Re: OMG I did not realize you can change the *message* remotely as well as start it up.

        No. Laws of physics, because, as the number of humans with brains asymptotes to zero it will be found that the number of brainless people outnumbers the zombies by an order of magnitude. Thus, no apocalypse.

        P.S. I've waited so many years for the chance to use 'asymptote' I feel so... so... god-like!

    3. Alan Brown Silver badge

      Re: OMG I did not realize you can change the *message* remotely as well as start it up.

      Our american brethren would do well to watch the film "Brazil"

  5. Franklin

    "According to the US CERT, a fixed version of the firmware is available that allows users to change their login keys, and should be applied to critical devices, but probably won't be."

    There. Fixed it for you.

    1. vmistery

      Or rather it will once it has gone through the proper change control process - for security!

      1. Tom 35

        But they will still set the password as 1234

  6. Bluewhelk
    WTF?

    Public / Private keys

    Not sure what's happening here, I would have thought the firmware would only need the PUBLIC key for SSH logins. Certainly if the PRIVATE key is also embedded then that's a major cockup as the firmware does not need to know this, indeed that's the whole point.

    1. Destroy All Monsters Silver badge
      Pint

      Re: Public / Private keys

      that_is_the_point.jpg

    2. frank ly

      Re: Public / Private keys

      They forgot to encrypt the private key - doh!

    3. Daniel B.
      Boffin

      Re: Public / Private keys @Bluewhelk

      Yes, indeed that's the point. Some lazy admins have been known to run the following commands:

      # ssh-keygen

      (generate passwordless key)

      # cat .ssh/id_rsa.pub > .ssh/authorized_keys

      then they copy around the .ssh/id_rsa file. Now if this were the case with said firmware, it means that anyone getting their hands on the firmware gets the id_rsa key, and said key has access to the box. With no password.

      Not sure if this is the case, but I wouldn't be surprised if it was...

    4. Richard 26
      FAIL

      Re: Public / Private keys

      It sounds like the private keys were embedded in the update tool so the update utility could get a root login. So much easier than doing it right and having a proper code signing system. Sigh.

  7. Anonymous Coward 15
    Mushroom

    And all they wanted

    was a nice game of chess.

  8. Christoph
    Alien

    Where is Orson Welles when we need him?

    The Martians are invading! The Martians are invading!

  9. Anonymous Coward
    Anonymous Coward

    So what you're saying, is that you're not meant to...

    .....HIDE your secrets in plain-sight, then?

    obviously the spooks have it wrong then!

  10. Matt_payne666

    the great thing about open source is that all the code is out in the open which makes it so secure, much better than proprietary, closed source stuff, blah, blah, blah....

    ohhh.....

    Let Eadon back on to defend the almighty Linux!

    1. Daniel B.
      Facepalm

      Missing the point

      The image has a private SSH key on the open that has access to the accounts. It would be like having the official Windows Server release have 'password' as the default Administrator account password on it.

  11. Anonymous Coward
    Anonymous Coward

    V - for Vulnerability

    A/C for Icon

  12. Captain DaFt

    Are they *sure* the zombie alert was a prank?

    Is it just me, or has anyone else noticed there's been nothing else heard from Montana since then?

  13. Anonymous Coward
    Anonymous Coward

    Question for all...

    Does anyone listen to radio these days? What with all the cell phones and texting, maybe there should be an "alert all cell phones" in specific geographical areas as well.

    Of course with the lax security that others have shown, it would be a wonderful prank to edit the presidents voice to say something like "We have just exploded a Nuclear Bomb over Iran, the world is now safe" or some such (note to law enforcement: this is a joke/satire don't arrest me!).

    Anonymous for obvious reasons

    1. Anonymous Coward
      Anonymous Coward

      Re: Question for all...

      Already is. You can lucky disable most of them except for "Presidential Alerts".

      On my phone the list is:

      Presidential

      Extreme

      Severe

      Amber

    2. Henry Wertz 1 Gold badge

      Re: Question for all...

      "Does anyone listen to radio these days? What with all the cell phones and texting, maybe there should be an "alert all cell phones" in specific geographical areas as well."

      There is. While under development it was called CMAS or PLAN depending on which agency you talked too (Commercial Mobile Alert System or Personal Localized Alerting Network.) It is now called WEA (Wireless Emergency Alerts.) These are available nationwide in the US, and phones started supporting reception of these alerts within the last several years. Several non-supporting models have also received firmware updates to support them (both my previous Motorola Droid 2 Global and current Samsung Stratosphere did not support these, then they did after a firmware update. These both have 2.3.x with WEA added on, I think Android 4.x supports WEA stock.)

      This system uses broadcast texts and a minor modification to the stock messaging app so it alerts on receipt of a message, subject to user control. It has options for "CMAS Test messages", AMBER alerts (this is for child abductions), "Severe alerts" (this is ordinarily severe thunderstorm or tornado warnings around here), "extereme alerts" (typically around here this means a tornado is on the ground), and "presidential alerts" (the nukes are on the way I suppose?) Presidential alerts cannot be disabled* while all others can be.

      (An example message:

      06/24/2013 2:36PM

      From: #CMAS#Extreme

      Tornado Warning in this area til 3:00 PM CDT. Take shelter now. Check local media. -NWS

      )

      *...Through the menu. If I set Handcent up to take over as "Default messaing application" for SMS and MMS, the stock app fails to alert, just the usual text messaging ding from handcent.

      1. NullReference Exception
        Mushroom

        Re: Question for all...

        The Presidental Alert does indeed mean "the nukes are on the way". It's a bit of a relic of the Cold War, and has never actually been used in practice in any of its forms. (Not even on September 11, 2001.)

  14. Moist Owlet

    The station's call letters are KRTV - it's my local CBS affiliate. A similar message was broadcast in Michigan and New Mexico, it played on a radio station, too, if I remember right. Freaked some people out.

This topic is closed for new posts.

Other stories you might like