Sounding the alarm on flaws in the emergency alert system – Krebs on Security

The Department of Homeland Security (DHS) urges states and localities to tighten security around proprietary devices that connect to the Emergency alert system — a national public alerting system used to provide important information about emergencies, such as severe weather and AMBER alerts. The DHS warning came ahead of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is expected to demonstrate multiple weaknesses in the national warning system.

An EAS encoder/decoder from Digital Alert Systems that Pyle said he acquired on eBay in 2019. The system username and password were printed on the machine.

The DHS warning was triggered by security researcher Ken Pyle, a partner at security firm Cybir. Pyle said he started acquiring old EAS equipment on eBay in 2019 and quickly identified a number of serious security flaws in a device widely used by states and localities to encode and decode data. EAS warning signals.

“I found all kinds of issues at the time and reported them to DHS, the FBI and the manufacturer,” Pyle said in an interview with KrebsOnSecurity. “But nothing ever happened. I decided not to tell anyone for now because I wanted to give people time to fix it.

Pyle said he resumed the search in earnest after an angry mob stormed the US Capitol on January 6, 2021.

“I was sitting there thinking, ‘Holy shit, someone could start a civil war with this thing,'” Pyle recalled. it’s still a very big problem, so I’ve decided that unless someone goes public and talks about it, clearly nothing will be done about it.

EAS encoders/decoders acquired by Pyle were manufactured by Lyndonville, NY Digital alert systems (Previously Monroe Electronics, Inc.), which released a security advisory this month saying it had released patches in 2019 to address flaws reported by Pyle, but some customers are still running outdated versions of device firmware. This may be because fixes were included in firmware version 4 for EAS devices, and many older models apparently do not support the new software.

“The identified vulnerabilities pose a potentially serious risk, and we believe both have been addressed in software updates released beginning in October 2019,” EAS said in a written statement. “We have also provided an attribution for responsible researcher disclosure, allowing us to set things straight before making public statements. We are aware that some users have not taken corrective action and updated their software and should immediately take action to update to the latest version of the software to ensure that they are not at risk. Anything below 4.1 should be updated immediately. On July 20, 2022, the researcher referenced other potential issues, and we hope he will provide more details. We will assess and work to issue any necessary mitigations as quickly as possible. »

But Pyle said many EAS stakeholders still ignore basic manufacturer advice, such as changing default passwords and placing devices behind a firewall, not exposing them. not directly to the Internet and restricting access only to trusted hosts and networks.

Pyle, in a heavily redacted selfie because the EAS device behind him had his user credentials printed on the lid.

Pyle said the biggest security threat to EAS is that an attacker would only have to compromise a single EAS station to locally send alerts that can be picked up by other EAS systems and relayed across. the country.

“The alert process is automated in most cases, so having access to a device will allow you to pivot,” he said. “There is no centralized control of the EAS because these devices are designed so that someone locally can issue an alert, but there is no central control to know if I am the only one no one who can send or anything. If you are a local operator, you can send nationwide alerts. That’s how easy it is to do that.

One of the digital alert system devices that Pyle got from an electronics recycler earlier this year didn’t work, but whoever threw it away neglected to erase the hard drive built into it. the machine. Pyle soon discovered that the device contained the private cryptographic keys and other credentials needed to send alerts via Comcastthe third largest cable company in the country.

“I can issue and create my own alert here that has all the valid checks or whatever to be a real alert station,” Pyle said in an interview earlier this month. “I can create a message that will start spreading through the EAS.”

Comcast told KrebsOnSecurity that “a third-party device used to send EAS alerts was lost in transit by a trusted shipping provider between two Comcast locations and subsequently obtained by a cybersecurity researcher.

“We have thoroughly investigated this matter and have determined that no customer data, or any sensitive Comcast data, was compromised,” the Comcast spokesperson said. David McGuire said.

The company said it also confirmed that information included on the device can no longer be used to send false messages to Comcast customers or used to compromise devices on Comcast’s network, including EAS devices.

“We are taking steps to further ensure the safe transfer of these devices in the future,” McGuire said. “Separately, we have performed a thorough audit of all EAS devices on our network and confirmed that they are updated with currently available patches and are therefore not vulnerable to recently reported security issues. We are grateful for the disclosure. responsible and to the security research community for continuing to engage and share information with our teams to make our products and technologies ever more secure. Mr. Pyle informed us promptly of his research and worked with us as we took steps to validate its findings and ensure the security of our systems.

The user interface of an EAS device.

Unauthorized EAS broadcast alerts have happened enough for there to be an EAS compromise chronicle on fandom.com. Fortunately, most of these incidents have involved fairly obvious pranks.

According to the EAS Wiki, in February 2013 hackers broke into EAS networks in Great Falls, Mt. and Marquette, Michigan to broadcast an alert that zombies had risen from their graves in several counties. In February 2017, an EAS station in Indiana was also hacked, with the intruders playing the same “zombies and corpses” sound as during the 2013 incidents.

“On February 20 and 21, 2020, Wave Broadband’s EASyCAP equipment was hacked because the equipment’s default password was not changed,” the Wiki says. “Four alerts were broadcast, two of which consisted of a radiological hazard warning and a required monthly test playing parts of artist Young Thug’s song Hip Hop Hot.”

In January 2018, Hawaii sent an alert to cell phones, televisions and radios, warning everyone in the state that a missile was heading their way. It took Hawaii 38 minutes to notify people that the alert was a misfire and that a draft alert had been inadvertently sent. The video clip below from the 2018 event in Hawaii does a good job of explaining how EAS works.

Comments are closed.