Rave Panic Button: Vulnerabilities in a Nationwide Emergency Alert System (randywestergren.com)
> In order to confirm this suspicion, I decided to proxy my phone’s traffic and attempt registering with the app using dummy phone values.

Am I wrong in assuming that being able to proxy the app's HTTPS traffic is evidence of another security problem, specifically that the app is not validating the server's SSL certificate?

Montana TV station EAS system hacked a few years a go [1]. While I applaud for the humor, I am still in awe of how little attention this Orson Welles(ish) episode got.

[1]: https://www.youtube.com/watch?v=TQWtqJylMKQ

The vendor was notified three weeks before this public disclosure. Is this reasonable? How should a timeline for public disclosure be determined?

Great snooping, and an awesome writeup! As the author points out, organizations should be wary of security even when the developer/publisher claims that it's secure.

The author says that $70k seems a lot to build the app.

I don't know how long it took, but depending on the size of the team etc, it sounds pretty cheap TBH - certainly not enough $ there to make something secure and supported.

They have at least 2K customers according to this: http://www.king5.com/tech/schools-businesses-emergency-respo...

Not sure what each customer was charged, but it sounds like the app/system was resold to individual customers at a pretty hefty price.

I read it as they charged one customer $70k. I imagine they plan on having more customers at some point.

That's definitely concerning. Makes you wonder how well secured our other emergency/critical systems really are.

Rave Panic Button: For when the drop goes too deep.

