The Department of Homeland Security (DHS) issued an alert that hackers might use unpatched Emergency Alert System (EAS) encoder/decoder devices to deliver phony emergency warnings across TV and radio networks by exploiting serious security flaws. Federal Emergency Management Agency (FEMA) of DHS issued the alert as an advisory that was sent via the Integrated Public Alert and Warning System (IPAWS).
“We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network),” said the DHS agency.
“This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14”, DHS added. “In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks.”
Additionally, FEMA encouraged everyone using the EAS system to properly mitigate this problem by making sure that their Emergency Alert System devices are:
- protected by a firewall;
- using the most recent security patches and software updates;
- monitored and audit logs are routinely checked for unauthorized access.
According to Ken Pyle, a Cybir researcher who found the Monroe Electronics R189 One-Net DASDEC EAS device to have this serious flaw, several flaws and vulnerabilities (verified by other researchers) had gone unpatched for a while, which allowed them to grow into a significant problem.
When asked what might be done upon a successful exploitation, Pyle said that he can easily gain access to the credentials, devices, certs, attack the web servers, send phony alarms through crafted message, and have them valid / pre-empting signals at will. He can also block legitimate users whenever he wants, disabling or neutralizing a response. Pyle also addressed the paucity of information around this matter, stating that the key priority is to address the issue before disclosing any information.
Around ten years ago, Monroe Electronics (now known as Digital Alert Systems) corrected the identical EAS device’s maximum severity vulnerability (recorded as CVE-2013-4735). Using a shared private root SSH key that is made available in publicly accessible firmware images, remote attackers can take advantage of it if it is not fixed in order to get root access and fake warnings through an SSH session. At DEF CON 30 on August 13 from 10 AM to 2:00 PM, Pyle will give a session in the IoT Village where he will provide further details on these vulnerabilities.
Pyle will share further information on these vulnerabilities in an IoT Village talk at DEF CON 30, on August 13, between 10 AM and 02 PM.
What is the Emergency Alert System?
EAS is a U.S. national public warning system that allows the president or state and local authorities to deliver critical information in case of federal or local emergency (e.g., weather info, imminent threats, or AMBER alerts) and when all other means of alerting the public are unavailable.
This system can also be used to send national-level alerts provided that the President considers it necessary that the messages should have a nationwide reach.
EAS alerts are delivered via IPAWS through multiple communication channels simultaneously, including AM, FM, and satellite radio, as well as broadcast, cable, and satellite TV, to reach as many people as possible.
They can also interrupt radio and television programming to broadcast emergency alert information and can be delivered as text messages with or without audio attachments.