[EAS] ALERT: EAS Device passwords

Wed Feb 13 14:42:36 CST 2013

 Don  Heppelmann:

<snip>It would be interesting knowing how the 'hacker' got the audio portion
into the EAS encoder as well. If this alert was triggered via IP, as opposed to
an incoming decoded signal, then another path for the audio was needed.
</snip>

Ok folks.  Having as many boxes as I do, I'm fairly deep into this.  I'm going
to pass on all the information I can that will help.

No one has yet told me I can't pass this along, and I don't think will hurt
anyones investigation.

Here's what I saw:
1) Of the hundred plus boxes I have - they did get into one.  It was set to the
factory passwords before going into the factory for maintenance (to make it easy
on them).  When it returned, I somehow missed that one item on my 85 point
checklist.  I changed the root password, but not the web interface admin
password.   Duh.
2) Of all the boxes I have - the only ones that are being targeted are the ones
that are NOT behind a firewall.  In other words - they are in the wild.  Why?
 Because AT&Turtle can't get connectivity fast enough, and we can only roll out
our "special vpn routers" so quickly.  In short - we are peddling as fast as we
can, but it is a big hill, and we only have one gear.
3) We have about 7 boxes in the wild, and of those - only 1 were they able to
actually get into, and that only on the web interface.
4) On those 7 boxes - we have had literally thousands of password attempts per
day. (at about one attack every 2 or 3 seconds per box).

The SSH attacks started well before the announcement ever went over the air.

Concerning the box that was actually "penetrated":  They sent an LAE (not a RWT)
from the local station. They uploaded the 60 second message to the box from
their remote location, then they triggered it.

I still have to finish going through that box to insure that it hasn't had
anything else done to it - but this looks more like a script kiddie got in than
a true hacker.

The two big concerns to me are:
1) How did they find the IP addresses of all these DASDECS?  I could understand
it being a company leak if it was only one company that was affected - but this
was multiple stations across the country.  I believe the googled it.  Strangly,
there was nothing telling the crawlers not to examine and publish the contents
of these active web servers.  That to me is security issue number one.  If you
create a webserver, and put it on the web, why wouldn't you expect people to
look at it and get curious (if not frisky)?
2) Someone was were actively and aggressively trying to gain command prompt
access on ALL of my exposed boxes - all at the same time.  This looks like a
coordinated attack, yet no one has come forward to claim the prize of being the
one who hacked EAS.  The attacks were coming from IP addresses from numerous
countries - some traced directly to proxys in what looks like the TOR network.
 I believe they will continue to try until and possibly after they gain access.

The question is - to what end?  I can understand the zombie prank.  They had
fun.  That was that.

But using scripts to gain root level access to the boxes sounds a bit more
nefarious. There is no money to be made by hacking EAS - so to me, they either
want to use it for some political purpose (to put out a message), or to use as a
launching platform for some other attack.  I believe the latter.  If they can
gain access to a thousand servers across the country - that is a thousand
servers they can launch an attack from.  Or, possibly

My two cents.  Hopefully - it adds to the conversation, and helps folks
understand what happened, and what is still happening.