http://www.wired.com/threatlevel/2013/07/eas-holes/
By Kim Zetter
Threat Level
Wired.com
07.08.13
Several models of Emergency Alert System decoders, used to break into TV
and radio broadcasts to announce public safety warnings, have
vulnerabilities that would allow hackers to hijack them and deliver fake
messages to the public, according to an announcement by a security firm on
Monday.
The vulnerabilities included a private root SSH key that was distributed
in publicly available firmware images that would have allowed an attacker
with SSH access to a device to log in with root privileges and issue fake
alerts or disable the system.
IOActive principal research scientist Mike Davis uncovered the
vulnerabilities in the application servers of two digital alerting systems
known as DASDEC-I and DASDEC-II. The servers are responsible for receiving
and authenticating emergency alert messages.
"These DASDEC application servers are currently shipped with their root
privileged SSH key as part of the firmware update package," Davis said in
a statement. "This key allows an attacker to remotely log on in over the
Internet and can manipulate any system function."
[...]
--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/
