The Federal Emergency Management Agency (FEMA) issued an alert on August 1 warning of vulnerabilities in encoder/decoder devices for the agency’s U.S. Emergency Alert System (EAS) that could allow hackers to send fake alerts over TV, radio, and cable networks.
“This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14,” FEMA said in a release from its Integrated Alert and Warning System (IPAWS) program office.
The discovery prompted FEMA to issue an advisory for operators of EAS devices to update their software to address the vulnerability. There has been no evidence that a hacker has exploited the vulnerabilities. In addition to patching and updating software, FEMA urged EAS participants to make sure EAS devices are protected by a firewall, and that EAS devices and supporting systems are monitored and audit logs are reviewed regularly for unauthorized access.
According to CNN, Ken Pyle, a cybersecurity researcher for security firm CYBIR, provided FEMA Federal with “compelling evidence to suggest certain unpatched and unsecured EAS devices are indeed vulnerable,” said Mark Lucero, who is chief engineer for IPAWS.
According to FEMA, false alerts could be issued over TV, radio, and cable networks, but did not say the same for alerts sent over text message.
“It’s a big critical infrastructure problem everyone needs to own,” Pyle told CNN.
The Federal Communications Commission (FCC) also issued a notice on its Public Safety and Homeland Security Bureau previously warning communications providers about the vulnerability.
The FCC notice encouraged EAS partners to: change default passwords; review recommendations for addressing data security vulnerabilities made by the Communications Security, Reliability, and Interoperability Council in 2014; and contact their manufacturers with security questions.