
Rave Panic Button: Vulnerabilities in a Nationwide Emergency Alert System - rwestergren
https://randywestergren.com/rave-panic-button-vulnerabilities-nationwide-emergency-alert-system/
======
zaroth
So they found a hard-coded API token and no further user authentication to
limit the requests. This is obviously a common rookie mistake (didn't
Facebook, Snapchat, Instagram all fall for this at some point?) and security
software particularly should not have such a basic vulnerability, but I do
think TFA veers past security writeup into editorial when they start
critiquing the cost/pricing and calling for customers to drop the software,
particularly since the vendor was responsive to the report.

It seems like maybe the vendor's communication trailed off toward the end
leaving OP with bad feelings which show up in the write-up.

Generally I like to see security research and vulnerabilities reported as a
way to document the process used and experience gained, but not to skewer the
company except with respect to their responsiveness of a patch.

Of course, everyone here is free to skewer the app as much as they like, I
just don't like reading it in the actual write-up.

~~~
caf
Sure, but.. this isn't Instagram, is it? Somehow I feel that if you're
purporting to build a safety-critical service, the bar ought to be set a bit
higher for you than if you're sharing pictures of people's lunch.

It's a common rookie mistake, but perhaps the takeaway is that this kind of
area isn't something that rookies should be tackling.

~~~
patcheudor
>Sure, but.. this isn't Instagram, is it? Somehow I feel that if you're
purporting to build a safety-critical service, the bar ought to be set a bit
higher for you than if you're sharing pictures of people's lunch.

To your point and going back to what zaroth was getting at I'm wondering why I
didn't see the typical references to a bug bounty, permission or payout that
are typical in write-ups of this nature. This really does concern me.

Poking around server-side with an account you clearly weren't meant to
interact with could have serious repercussions up to and including service
outages. You'd be amazed at the sorts of mistakes I've seen in code that could
lead to unintentionally taking down a service. A number of years ago I
discovered a flaw with a major identity management provider. If the POST
request parameters were placed out of expected order it crashed the
application into a zombied state where it could no longer accept requests,
causing a denial of service situation until it was restarted. Worse, the event
wasn't logged. You don't typically log POSTs in the HTTPD and they didn't have
application layer logging at that level either so without monitoring HTTPS
traffic there was no way to troubleshoot why the application was hanging.

I've seen lots of vulnerabilities like this including in life critical
systems. Because of the unexpected as well as US law, I always check to see if
there's a bug bounty first or I reach out to the vendor and get written
permission. I really am paranoid about what's in criminal code as well as
accidentally causing an outage.

There are certainly a number of ethics and possibly legal issue which appear
to be at play here beyond just embarrassing the company.

Hopefully we'll here more about the bug bounty program.

------
rixrax
Montana TV station EAS system hacked a few years a go [1]. While I applaud for
the humor, I am still in awe of how little attention this Orson Welles(ish)
episode got.

[1]:
[https://www.youtube.com/watch?v=TQWtqJylMKQ](https://www.youtube.com/watch?v=TQWtqJylMKQ)

------
sailfast
This discovery and write-up was an awesome read but I do disagree on the price
critique. 70K seems relatively inexpensive for deployment of an app at a state
level, let alone development of an app. Proof of Concept, perhaps but what
does a full security audit cost these days? If anything I would be concerned
that the budget did not include those kinds of factors and should have cost a
bit more :)

This article does lead me to wonder if Rave has missed an opportunity -
installation of an app on Crestron / Andoird room automation systems that
accomplish similar things. That would take the mobile component out but still
have a benefit from a facilities / awareness perspective.

~~~
rwestergren
Appreciate the feedback! My point on the price concern was that the app was
not developed solely for my county, it was resold to multiple customers - at
least 2,000 according to the link I posted in another comment.

I'm not sure what other customers were charged for the app, but if they were
all $70K (as my County was), then that's a hefty rake.

~~~
thefalcon
That makes sense now, but was not clearly communicated in the post (consider
clarifying there).

------
stuaxo
The author says that $70k seems a lot to build the app.

I don't know how long it took, but depending on the size of the team etc, it
sounds pretty cheap TBH - certainly not enough $ there to make something
secure and supported.

~~~
rwestergren
They have at least 2K customers according to this:
[http://www.king5.com/tech/schools-businesses-emergency-
respo...](http://www.king5.com/tech/schools-businesses-emergency-responders-
talk-tech-and-public-safety/346228264)

Not sure what each customer was charged, but it sounds like the app/system was
resold to individual customers at a pretty hefty price.

~~~
mrgoldenbrown
What was included in the 70k? Typically the govt agency I work for bundles
things like support for 5 years, professional services, data migration, maybe
even hosting into the "purchase" price because capital is easier to get than
operating budget.

------
raesene9
Interesting technical detail but for me the main takeaway from that was that
we're still seeing expensive software systems ($70k per customer) being
procured by large numbers of organizations (~2000 customers) to do safety
critical work, and still none of them are mandating security reviews as part
of the procurement process (or indeed requiring the vendor to have had a
review done).

The vulns found here are serious, but any moderately detailed app security
review should/would have found them.

Until customers start requiring security reviews for the software their buying
we'll see a load more insecure apps being sold.

~~~
drc500free
It's not $70k per customer. It's $70k in development costs. On the other hand,
2000 customers is for all of the developer's products, not just this app.

------
ParadoxOryx
That's definitely concerning. Makes you wonder how well secured our other
emergency/critical systems really are.

------
patcheudor
Hey, good find but I'm a little confused. It appears that you found what could
be a serious issue if no other checks are in place; however, in doing so you
appear to have exceeded the access you were provided through the application
to their back-end system. Did this fall under a bug bounty program where you
had permission to do this or did the company give you written permission? I
was looking for a bug bounty program and couldn't find one.

I ask because it looks like you were performing testing which touched their
infrastructure, not just your phone and the US Computer Fraud and Abuse act
gets pretty scary (Felony scary) when it comes to such things:

[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

I do a ton of mobile application reviews and find stuff like this quite often
but back away at the point I start touching their infrastructure rather than
just my phone.

------
charonn0
> In order to confirm this suspicion, I decided to proxy my phone’s traffic
> and attempt registering with the app using dummy phone values.

Am I wrong in assuming that being able to proxy the app's HTTPS traffic is
evidence of another security problem, specifically that the app is not
validating the server's SSL certificate?

~~~
zaroth
No, the proxy is a trusted CA and so it can mint a valid cert.

It does mean they are not pinning their cert, but most apps do not.

Even if it was pinned, you just have to disassemble and modify the pin and you
can still MITM.

------
wildrhythms
Great snooping, and an awesome writeup! As the author points out,
organizations should be wary of security even when the developer/publisher
claims that it's secure.

------
elipsey
The vendor was notified three weeks before this public disclosure. Is this
reasonable? How should a timeline for public disclosure be determined?

~~~
icebraining
You're misreading, it was in November.

------
thescriptkiddie
Anyone have a mirror for the redacted source code?

~~~
uxp
Here you go: [http://archive.is/Ui0Ap](http://archive.is/Ui0Ap)

Courtesy /u/Vusys on Reddit from /r/netsec

------
rhodrid
Rave Panic Button: For when the drop goes too deep.

