America’s Emergency Alert System Has a ‘Huge Flaw’ – Broadcasters Must Fix NOW

The Emergency Alert System (EAS) operated by FEMA and the FCC is vulnerable to hacking. Imagine the vast potential for panic and chaos if a false alarm were widely broadcast.

Monroe Electronics and its d/b/a, Digital Alert Systems, are accused of sloppy software and bad patches. All will be revealed next week at DEF CON 30.

DevOps Connect: DevSecOps @ RSAC 2022

This is not an exam. In today’s SB Blogwatch, we fear a real emergency.

Your humble blogwatcher has curated these blog bits for your entertainment. Not to mention: Styles vs. Harket.

EAS FAILURE: FEMA IPAWS

What is craic? Sean Lyngaas reports—“FEMA warns that emergency alert systems could be hacked to transmit false messages”:

We take all safety reports very seriously
Vulnerabilities in the software that the country’s television and radio networks use to transmit emergency alerts could allow a hacker to broadcast false messages to…the national system that state and local authorities use to send emergency alerts about natural disasters or child abductions… on television, radio and cable networks. … The agency this week urged operators of the devices to update their software to fix the problem.

Ken Pyle, the cybersecurity researcher who discovered the problem, [said] he acquired several of the EAS devices independently and found poor security controls. … The television and radio networks own and operate the equipment.

Digital Alert Systems, Inc., the New York-based company that makes the emergency alert software, said Pyle first reported the vulnerabilities to the company in 2019, when the company issued a statement. updated software. …However, Pyle [said] later versions of Digital Alert Systems software were still susceptible to some of the security issues.

“We take all safety reports very seriously,” [said] Ed Czarnecki, vice president of Digital Alert Systems.

You do? Well, that’s fine then. Sergiu Gatlan dives deeper – “DHS warns of critical flaws”:

Snowball in a huge rift
Ken Pyle [is] the Cybir researcher who discovered this critical issue in the Monroe Electronics R189 One-Net DASDEC EAS device. … (Monroe Electronics [is] now doing business as Digital Alert Systems.)

[He said] several vulnerabilities and issues (confirmed by other researchers) have not been fixed for several years and have snowballed into a huge flaw. [He] will share more information about these vulnerabilities during an IoT Village conference at DEF CON 30 on August 13.

The warning was issued by DHS’s Federal Emergency Management Agency (FEMA) in the form of an advisory issued through the Integrated Public Alerting and Warning System (IPAWS): “We recently became aware certain vulnerabilities in EAS encoders/decoders which, if not updated to the most recent software versions, could allow an actor to issue EAS alerts on the host infrastructure (TV, radio, network cable). … The vulnerability is common knowledge and will be demonstrated to a wide audience.

And Dan Goodin defines the Wayback machine: “Hackers can disrupt legitimate warnings or issue false ones themselves”:

An impending zombie apocalypse
This isn’t the first time federal officials have warned of vulnerabilities in the emergency alert system. [In 2013, a] remote takeover vulnerability … affected DASDEC-I and DASDEC-II application servers manufactured by … Digital Alert Systems. It stems from a recent firmware update that mistakenly included the shell (SSH) secure private key. … Other reviews [warn] against vulnerabilities in the One-Net E189 emergency alert system sold by Digital Alert Systems’ parent company, Monroe Electronics.

The warnings come five months after hackers took over the emergency alert system [in] Montana … Michigan, California, Tennessee and New Mexico. [They] aired a fake emergency bulletin warning viewers of an impending zombie apocalypse: …”Civil authorities in your area have reported that the bodies of the dead are rising from the grave and attacking the living,” read at least one of the messages stuffing.

What can be done? If you operate a TV or radio station, cable company, or satellite uplink, consider the “IPAWS Advisory”:

We value our partnership with broadcasters and appreciate your efforts to maintain public confidence in the emergency alert system. …FEMA strongly encourages EAS participants to ensure that:

    • EAS devices and support systems are up to date with the latest software releases and security patches;
    • EAS devices are protected by a firewall;
    • EAS devices and supporting systems are monitored and audit logs are regularly reviewed for unauthorized access.

Do you feel something déjà vu? Ralf The Dog is:

A few decades ago…every digital sign in Dallas, Texas read “Zombie Alert. Run for your life.”

And so it is u/Un-Scammable:

Hawaii is happy after last time.

Ah, but they were different systems. Please allow jpyuda to explain:

I actually know a bit more about it from my work (I don’t work directly on it). First of all, this is the emergency alert system, which is only television and radio (including satellite) [not] the wireless emergency alert system (WEA). They are part of the same global system, called IPAWS, but they are technically separate.

What a mess. u/InevitablyPerpetual imagines the scene:

“Sir, there is a problem.”
“What is the problem?”
“Hosting the alert system. … Well, sir, Geocities has gone bankrupt.
“… My God. …”

We are so screwed. But this is nothing new for jranson:

Unfortunately, it has been a known entity for a very long time. Any cable company can tell you that it’s a wonder EAS isn’t spoofed on a regular basis. Any coder who is even just a cut above script kiddie can spend a weekend researching and come away with the ability to anonymously/untraceably trigger an EAS for an entire DMA, as long as they are within radio proximity to a receiver used by almost all broadcasters.

Meanwhile, better ignore u/BestDogeGrafy32:

Anyone for a hack that leads to a doomsday warning that sends the population into a wild, murderous frenzy?

And finally:

It was on me

Previously in And finally


Have you read SB Blogwatch by Richi Jennings. Richi curates the best blogs, the best forums, and the weirdest websites…so you don’t have to. Hate messages may be directed to @RiCHi Where [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Comments are closed.