FEMA issues bulletin: Emergency Alert System (EAS) Vulnerability

guest · Aug 4, 2022

Federal Emergency Management Agency (FEMA)
August 1, 2022

We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).

This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.
In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks.
Click to expand...

FEMA strongly encourages EAS participants to ensure that:

EAS devices and supporting systems are up to date with the most recent software versions and security patches;

EAS devices are protected by a firewall;

EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.

We value our partnership with broadcasters and appreciate your efforts to maintain public trust and confidence in the Emergency Alert System.
Click to expand...

guest · Aug 5, 2022

FEMA Urges Patching of Emergency Alert Systems, But Some Flaws Remain Unfixed
August 5, 2022

The emergency alert system (EAS) in the United States enables authorities to broadcast emergency alerts and warning messages — such as weather and AMBER alerts — to the public over TV and radio.

FEMA warned this week in an Integrated Public Alert and Warning System (IPAWS) advisory that vulnerabilities affecting EAS encoder and decoder devices can allow hackers to issue unauthorized alerts over TV, radio and cable networks. This has been known to happen. In 2020, hackers exploited a vulnerable device to issue a false warning of a radiological hazard.
Click to expand...

While the FEMA advisory does not name impacted products, Pyle told SecurityWeek that he conducted his research on the R189 DASDEC encoder/decoder from Digital Alert Systems, formerly Monroe Electronics. The researcher acquired the device from eBay.

He plans on showing at DEF CON that the devices are unencrypted, implemented poorly, they reuse keys, and their software is highly insecure, with web application vulnerabilities that put them at risk. The researcher says he has also obtained credentials and metadata on several EAS networks and providers as a result of his analysis.
Pyle also warns that many stations leave the affected devices exposed on the internet — as shown by a Shodan search — making it easier for hackers to exploit vulnerabilities.
Click to expand...

FEMA’s alert suggests that installing the latest update on the EAS encoder can prevent abuse, but Pyle claims it does not, as there are problems that the vendor has not fixed or cannot fix, including issues related to practices, implementation and design.

The researcher says the vendor is downplaying the severity of his findings, but the company does not even have the full picture.

“I haven’t fully disclosed all of my research to them due to lack of cooperation and communications,” the researcher told SecurityWeek.
Click to expand...

EASTER · Aug 5, 2022

Seems the hackers have already tested plenty of those relay stations and a few if not more were successful at getting in and adjusting alerts/announcements and the like. They really should be password protected in the strictest of measures.

guest · Aug 12, 2022

Sounding the Alarm on Emergency Alert System Flaws
August 12, 2022

The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system.
Click to expand...

Pyle said the biggest threat to the security of the EAS is that an attacker would only need to compromise a single EAS station to send out alerts locally that can be picked up by other EAS systems and retransmitted across the nation.

“The process for alerts is automated in most cases, hence, obtaining access to a device will allow you to pivot around,” he said. “There’s no centralized control of the EAS because these devices are designed such that someone locally can issue an alert, but there’s no central control over whether I am the one person who can send or whatever. If you are a local operator, you can send out nationwide alerts. That’s how easy it is to do this.”
Click to expand...

Unauthorized EAS broadcast alerts have happened enough that there is a chronicle of EAS compromises over at fandom.com. Thankfully, most of these incidents have involved fairly obvious hoaxes.

According to the EAS wiki, in February 2013, hackers broke into the EAS networks in Great Falls, Mt. and Marquette, Mich. to broadcast an alert that zombies had risen from their graves in several counties. In Feb. 2017, an EAS station in Indiana also was hacked, with the intruders playing the same “zombies and dead bodies” audio from the 2013 incidents.

“On February 20 and February 21, 2020, Wave Broadband’s EASyCAP equipment was hacked due to the equipment’s default password not being changed,” the Wiki states.
“Four alerts were broadcasted, two of which consisted of a Radiological Hazard Warning and a Required Monthly Test playing parts of the Hip Hop song Hot by artist Young Thug.”
Click to expand...

guest · Sep 9, 2022

FCC proposes cybersecurity changes to emergency alert system
By Jonathan Greig @jgreigj - September 9, 2022

Federal Communications Commission (FCC) chairwoman Jessica Rosenworcel has proposed several changes to the U.S. Emergency Alert System (EAS) and Wireless Emergency Alerts designed to beef up the cybersecurity of the systems following the discovery of vulnerabilities last month.

The systems allow the federal government, the president or state-level officials to send out emergency warnings about a range of issues including potential weather events or AMBER alerts for missing children.
Click to expand...

But last month, the Federal Emergency Management Agency (FEMA) issued a warning to participants in the EAS that vulnerabilities can be used to allow threat actors to issue alerts over TV, radio, and cable networks.

A spokesperson for the FCC told The Record that as of December, there were approximately 25,644 EAS participants in the U.S. and its territories.

“One of the problems is these are everywhere, anyone can launch an alert with the right access… even by accident,” he explained. “No one can or will tell you what the patch status is… but they will definitely say it’s not zero. That uncertainty should terrify you.”
Click to expand...

Rosenworcel’s proposal this week would require EAS participants to report compromises of their EAS equipment and require that both EAS participants as well as participants in the Wireless Emergency Alerts program to “annually certify to having a cybersecurity risk management plan in place.”

The new rules would also demand that participants “employ sufficient security measures to ensure the confidentiality, integrity, and availability of their respective alerting systems.”
Click to expand...

Log in or Sign up

FEMA issues bulletin: Emergency Alert System (EAS) Vulnerability

guest Guest

guest Guest

EASTER Registered Member

guest Guest

guest Guest

Log in or Sign up

FEMA issues bulletin: Emergency Alert System (EAS) Vulnerability

guest Guest

guest Guest

EASTER Registered Member

guest Guest

guest Guest

Useful Searches