Digital Alert Systems says that recent news coverage about EAS is old and no longer accurate.
Wired and Ars Technica, and others, recently ran items about the hacking that occurred in February. In that case, an individual or a group used false credentials to hack into an EAS encoder/decoder of a Montana television station, programmed a false alert into the unit, which was then apparently aired by that station and others farther down the daisy chain.
We reported back then that stations that had not changed their factory default password were vulnerable to hacking. Both FEMA and the FCC urged stations to update the password and make sure the IP connections to their EAS units were protected behind firewalls.
The story is being redistributed now because Web security firm IOActive said this week that last month the Cyber Emergency Response Team indicated vulnerabilities still exist in the DAS units.
Digital Alert Systems Senior Director for Strategy, Development & Regulatory Affairs Ed Czarnecki says his company issued its own advisory as a precaution more than two months ago, first directly with customers and then publicly.
DAS included a cumulative security update in the v2.0-2 software release that addressed the issues raised by CERT, he told Radio World. “Importantly, these issues could become potential vulnerabilities only where basic network security practices are not followed, such as using firewalls and other measures to secure network connections.”
Additionally, Czarnecki said: “We gave v2.0-2 a soft launch in March 2013, followed by a general release in April 2013. Version 2.0-2 removed the default root SSH keys, and provided a number of security enhancements. Users who previously disabled or changed their SSH keys and default passwords are not impacted, but should apply the v2.0-2 update nonetheless.”
There have been no reports of any incidents relating to SSH keys, he said, noting that most DAS customers have obtained the software update.