The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system.
The DHS warning was prompted by security researcher Ken Pyle, a partner at security firm Cybir. Pyle said he started acquiring old EAS equipment off of eBay in 2019, and that he quickly identified a number of serious security vulnerabilities in a device that is broadly used by states and localities to encode and decode EAS alert signals.
“I found all kinds of problems back then, and reported it to the DHS, FBI and the manufacturer,” Pyle said in an interview with KrebsOnSecurity. “But nothing ever happened. I decided I wasn’t going to tell anyone about it yet because I wanted to give people time to fix it.”
Pyle said he took up the research again in earnest after an angry mob stormed the U.S. Capitol on Jan. 6, 2021.
“I was sitting there thinking, ‘Holy shit, someone could start a civil war with this thing,”’ Pyle recalled. “I went back to see if this was still a problem, and it turns out it’s still a very big problem. So I decided that unless someone actually makes this public and talks about it, clearly nothing is going to be done about it.”
The EAS encoder/decoder devices Pyle acquired were made by Lyndonville, NY-based Digital Alert Systems (formerly Monroe Electronics, Inc.), which issued a security advisory this month saying it released patches in 2019 to fix the flaws reported by Pyle, but that some customers are still running outdated versions of the device’s firmware. That may be because the patches were included in version 4 of the firmware for the EAS devices, and many older models apparently do not support the new software.
“The vulnerabilities identified present a potentially serious risk, and we believe both were addressed in software updates issued beginning Oct 2019,” EAS said in a written statement. “We also provided attribution for the researcher’s responsible disclosure, allowing us to rectify the matters before making any public statements. We are aware that some users have not taken corrective actions and updated their software and should immediately take action to update the latest software version to ensure they are not at risk. Anything lower than version 4.1 should be updated immediately. On July 20, 2022, the researcher referred to other potential issues, and we trust the researcher will provide more detail. We will evaluate and work to issue any necessary mitigations as quickly as possible.”
But Pyle said a great many EAS stakeholders are still ignoring basic advice from the manufacturer, such as changing default passwords and placing the devices behind a firewall, not directly exposing them to the Internet, and restricting access only to trusted hosts and networks.
Pyle said the biggest threat to the security of the EAS is that an attacker would only need to compromise a single EAS station to send out alerts locally that can be picked up by other EAS systems and retransmitted across the nation.
“The process for alerts is automated in most cases, hence, obtaining access to a device will allow you to pivot around,” he said. “There’s no centralized control of the EAS because these devices are designed such that someone locally can issue an alert, but there’s no central control over whether I am the one person who can send or whatever. If you are a local operator, you can send out nationwide alerts. That’s how easy it is to do this.”
One of the Digital Alert Systems devices Pyle sourced from an electronics recycler earlier this year was non-functioning, but whoever discarded it neglected to wipe the hard drive embedded in the machine. Pyle soon discovered the device contained the private cryptographic keys and other credentials needed to send alerts through Comcast, the nation’s third-largest cable company.
“I can issue and create my own alert here, which has all the valid checks or whatever for being a real alert station,” Pyle said in an interview earlier this month. “I can create a message that will start propagating through the EAS.”
Comcast told KrebsOnSecurity that “a third-party device used to deliver EAS alerts was lost in transit by a trusted shipping provider between two Comcast locations and subsequently obtained by a cybersecurity researcher.
“We’ve conducted a thorough investigation of this matter and have determined that no customer data, and no sensitive Comcast data, were compromised,” Comcast spokesperson David McGuire said.
The company said it also confirmed that the information included on the device can no longer be used to send false messages to Comcast customers or used to compromise devices within Comcast’s network, including EAS devices.
“We are taking steps to further ensure secure transfer of such devices going forward,” McGuire said. “Separately, we have conducted a thorough audit of all EAS devices on our network and confirmed that they are updated with currently available patches and are therefore not vulnerable to recently reported security issues. We’re grateful for the responsible disclosure and to the security research community for continuing to engage and share information with our teams to make our products and technologies ever more secure. Mr. Pyle informed us promptly of his research and worked with us as we took steps to validate his findings and ensure the security of our systems.”
Unauthorized EAS broadcast alerts have happened enough that there is a chronicle of EAS compromises over at fandom.com. Thankfully, most of these incidents have involved fairly obvious hoaxes.
According to the EAS wiki, in February 2013, hackers broke into the EAS networks in Great Falls, Mt. and Marquette, Mich. to broadcast an alert that zombies had risen from their graves in several counties. In Feb. 2017, an EAS station in Indiana also was hacked, with the intruders playing the same “zombies and dead bodies” audio from the 2013 incidents.
“On February 20 and February 21, 2020, Wave Broadband’s EASyCAP equipment was hacked due to the equipment’s default password not being changed,” the Wiki states. “Four alerts were broadcasted, two of which consisted of a Radiological Hazard Warning and a Required Monthly Test playing parts of the Hip Hop song Hot by artist Young Thug.”
In January 2018, Hawaii sent out an alert to cell phones, televisions and radios, warning everyone in the state that a missile was headed their way. It took 38 minutes for Hawaii to let people know the alert was a misfire, and that a draft alert was inadvertently sent. The news video clip below about the 2018 event in Hawaii does a good job of walking through how the EAS works.
The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system.Read More
A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim’s personal information and a different email address.
The lawsuit, filed July 28, 2022 in California Central District Court, argues that Experian’s documented practice of allowing the re-registration of existing Experian accounts without first verifying that the existing account holder authorized the changes violates the
In July’s Experian, You Have Some Explaining to Do, we heard from two different readers who had security freezes on their credit files with Experian and who also recently received notifications from Experian that the email address on their account had been changed. So had their passwords and account PIN and secret questions. Both had used password managers to pick and store complex, unique passwords for their accounts.
Both were able to recover access to their Experian account simply by recreating it — sharing their name, address, phone number, social security number, date of birth, and successfully gleaning or guessing the answers to four multiple choice questions that are almost entirely based on public records (or else information that is not terribly difficult to find).
Here’s the bit from that story that got excerpted in the class action lawsuit:
KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.
After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.
Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”
After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?
To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.
In response to my story, Experian suggested the reports from readers were isolated incidents, and that the company does all kinds of things it can’t talk about publicly to prevent bad people from abusing its systems.
“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”
“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”
That sounds great, but since that story ran I’ve heard from several more readers who were doing everything right and still had their Experian accounts hijacked, with little left to show for it except an email alert from Experian saying they had changed the address on file for the account.
I’d like to believe this class action lawsuit will change things, but I do not. Likely, the only thing that will come from this lawsuit — if it is not dismissed outright — is a fat payout for the plaintiffs’ attorneys and “free” credit monitoring for a few years compliments of Experian.
Credit bureaus do not view consumers as customers, who are instead the product that is being sold to third party companies. Often that data is sold based on the interests of the entity purchasing the data, wherein consumer records can be packaged into categories like “dog owner,” “expectant parent,” or “diabetes patient.”
Nevertheless, most lenders rely on the big-three consumer credit reporting bureaus, including Equifax, Experian and Trans Union — to determine everyone’s credit score, fluctuations in which can make or break one’s application for a loan or job.
On Tuesday, The Wall Street Journal broke a story saying Equifax sent lenders incorrect credit scores for millions of consumers this spring.
Meanwhile, the credit bureaus keep enjoying record earnings. For its part, Equifax reported a record fourth quarter 2021 revenue of 1.3 billion. Much of that revenue came from its Workforce Solutions business, which sells information about consumer salary histories to a variety of customers.
The Biden administration reportedly wants to create a public entity within the Consumer Financial Protection Bureau (CFPB) that would incorporate factors like rent and utility payments into lending decisions. Such a move would require congressional approval but CFPB officials are already discussing how it might be set up, Reuters reported.
“Credit reporting firms oppose the move, saying they are already working to provide fair and affordable credit to all consumers,” Reuters wrote. “A public credit bureau would be bad for consumers because it would expand the government’s power in an inappropriate way and its goals would shift with political winds, the Consumer Data Industry Association (CDIA), which represents private rating firms, said in a statement.”
A public credit bureau is likely to meet fierce resistance from the Congress’s most generous constituents — the banking industry — which detests rapid change and is heavily reliant on the credit bureaus.
And there is a preview of that fight going on right now over the bipartisan American Data Privacy and Protection Act, which The Hill described as one of the most lobbied bills in Congress. The idea behind the bill is that companies can’t collect any more information from you than they need to provide you with the service you’re seeking.
“The bipartisan bill, which represents a breakthrough for lawmakers after years of negotiations, would restrict the kind of data companies can collect from online users and the ways they can use that data,” The Hill reported Aug. 3. “Its provisions would impact companies in every consumer-centric industry — including retailers, e-commerce giants, telecoms, credit card companies and tech firms — that compile massive amounts of user data and rely on targeted ads to attract customers.”
According to the Electronic Frontier Foundation, a nonprofit digital rights group, the bill as drafted falls short in protecting consumers in several areas. For starters, it would override or preempt many kinds of state privacy laws. The EFF argues the bill also would block the Federal Communications Commission (FCC) from enforcing federal privacy laws that now apply to cable and satellite TV, and that consumers should still be allowed to sue companies that violate their privacy.
A copy of the class action complaint against Experian is available here (PDF).
A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim’s personal information and a different email address.Read More
Dierentuin Artis heeft de systemen die vorige maand door ransomware werden getroffen via back-ups weten te herstellen, zo heeft …Dierentuin Artis heeft de systemen die vorige maand door ransomware werden getroffen via back-ups weten te herstellen, zo heeft …Read More