[EAS] Digital Alert Systems From Monroe Electronics Contain a Known SSH Private Key and are Vulnerable to Remote Attack
Alex Hartman
goober at goobe.net
Tue Jul 9 14:12:18 CDT 2013
The easiest method of security from the vendor side (which is highly recommended for ALL vendors) is to TURN OFF these services by default and let the end user turn them on explicitly. There's no need for SSH on an EAS box IMO. There's no need for shell access.
Take a play from Comrex and use a shared-key system, while the vendor holds the unlock key ONLY. Not used for anyone else. And even still, it's turned off by default.
--
Alex Hartman
More information about the EAS
mailing list