CVE-2018-8864

Vulnerability

ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) suffer from a missing encryption of sensitive data vulnerability (CWE-311). The command packets sent over radio are not encrypted, allowing an attacker to forge legitimate-looking transmissions. No authentication is required to exploit this flaw. The affected devices are used worldwide in critical infrastructure sectors such as commercial facilities, defense, emergency services, and government facilities [1].

Exploitation

An attacker needs to be within radio range (adjacent network) to send specially crafted malicious radio transmissions. No authentication or user interaction is required. The attacker crafts a radio packet that mimics a valid command and transmits it to the target system, which then processes the packet and triggers a false alarm [1].

Impact

Successful exploitation allows the attacker to remotely trigger false alarms on the affected notification systems. This results in a high integrity impact (false information) but no direct confidentiality or availability impact. False alarms can cause unnecessary panic, disruption of operations, and potential resource drain on emergency services [1].

Mitigation

ATI Systems has created a patch that adds additional security features to the command packets sent over the radio. The patch is available upon request and should be tested before deployment. ATI also recommends replacing simple voice radios with digital P-25 (APCO) radios, which provide highly secure encrypted links. No fixed version number has been publicly released. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].