6/11/2023 0 Comments Defcon warning system![]() ![]() “We’ve conducted a thorough investigation of this matter and have determined that no customer data, and no sensitive Comcast data, were compromised,” Comcast spokesperson David McGuire said. “I can create a message that will start propagating through the EAS.”Ĭomcast told KrebsOnSecurity that “a third-party device used to deliver EAS alerts was lost in transit by a trusted shipping provider between two Comcast locations and subsequently obtained by a cybersecurity researcher. “I can issue and create my own alert here, which has all the valid checks or whatever for being a real alert station,” Pyle said in an interview earlier this month. Pyle soon discovered the device contained the private cryptographic keys and other credentials needed to send alerts through Comcast, the nation’s third-largest cable company. One of the Digital Alert Systems devices Pyle sourced from an electronics recycler earlier this year was non-functioning, but whoever discarded it neglected to wipe the hard drive embedded in the machine. If you are a local operator, you can send out nationwide alerts. “There’s no centralized control of the EAS because these devices are designed such that someone locally can issue an alert, but there’s no central control over whether I am the one person who can send or whatever. “The process for alerts is automated in most cases, hence, obtaining access to a device will allow you to pivot around,” he said. Pyle said the biggest threat to the security of the EAS is that an attacker would only need to compromise a single EAS station to send out alerts locally that can be picked up by other EAS systems and retransmitted across the nation. Pyle, in a selfie that is heavily redacted because the EAS device behind him had its user credentials printed on the lid. ![]() We will evaluate and work to issue any necessary mitigations as quickly as possible.”īut Pyle said a great many EAS stakeholders are still ignoring basic advice from the manufacturer, such as changing default passwords and placing the devices behind a firewall, not directly exposing them to the Internet, and restricting access only to trusted hosts and networks. On July 20, 2022, the researcher referred to other potential issues, and we trust the researcher will provide more detail. Anything lower than version 4.1 should be updated immediately. We are aware that some users have not taken corrective actions and updated their software and should immediately take action to update the latest software version to ensure they are not at risk. “We also provided attribution for the researcher’s responsible disclosure, allowing us to rectify the matters before making any public statements. “The vulnerabilities identified present a potentially serious risk, and we believe both were addressed in software updates issued beginning Oct 2019,” EAS said in a written statement. That may be because the patches were included in version 4 of the firmware for the EAS devices, and many older models apparently do not support the new software. The EAS encoder/decoder devices Pyle acquired were made by Lyndonville, NY-based Digital Alert Systems (formerly Monroe Electronics, Inc.), which issued a security advisory this month saying it released patches in 2019 to fix the flaws reported by Pyle, but that some customers are still running outdated versions of the device’s firmware. So I decided that unless someone actually makes this public and talks about it, clearly nothing is going to be done about it.” “I went back to see if this was still a problem, and it turns out it’s still a very big problem. “I was sitting there thinking, ‘Holy shit, someone could start a civil war with this thing,”’ Pyle recalled. Pyle said he took up the research again in earnest after an angry mob stormed the U.S. I decided I wasn’t going to tell anyone about it yet because I wanted to give people time to fix it.” “I found all kinds of problems back then, and reported it to the DHS, FBI and the manufacturer,” Pyle said in an interview with KrebsOnSecurity. Pyle said he started acquiring old EAS equipment off of eBay in 2019, and that he quickly identified a number of serious security vulnerabilities in a device that is broadly used by states and localities to encode and decode EAS alert signals. The DHS warning was prompted by security researcher Ken Pyle, a partner at security firm Cybir. ![]() It had the username and password for the system printed on the machine. A Digital Alert Systems EAS encoder/decoder that Pyle said he acquired off eBay in 2019. ![]()
0 Comments
Leave a Reply. |