Software flaw could let hackers take over US emergency alert system

Cause for alarm! Software flaw could let hackers take over United States’ emergency alert system and broadcast FAKE warnings of an apocalyptic event

  • Hackers could exploit a software vulnerability to send out fake alerts to the Emergency Alert System in the United States 
  • This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented at a conference in Las Vegas, August 11-14
  • FEMA’s tips included ensuring that EAS devices and supporting systems are up to date with the most recent software versions and security patches

Hackers have the capability to exploit a software flaw in the Emergency Alert System to issue fake warnings over radio and TV stations, the U.S. Department of Homeland Security warns.

‘We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to the most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network),’ the DHS’s Federal Emergency Management Agency (FEMA) said. 

‘This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.’

Scroll down for video 

‘We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to the most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure.’ Pictured above is FEMA’s message

In its advisory, the federal agency encouraged EAS participants to ensure that: ‘EAS devices and supporting systems are up to date with the most recent software versions and security patches; EAS devices are protected by a firewall; EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.’ 

Pyle told a reporter at Bleeping Computer that the vulnerabilities reside in the Monroe Electronics R189 One-Net DASDEC EAS, which is a type of emergency alert system encoder and decoder. 

That’s the equipment that TV and radio stations use to transmit emergency alerts. 

The researcher said that ‘multiple vulnerabilities and issues (confirmed by other researchers) haven’t been patched for several years and snowballed into a huge flaw.’

In its advisory, the federal agency encouraged EAS participants to ensure that: ‘EAS devices and supporting systems are up to date with the most recent software versions and security patches; EAS devices are protected by a firewall’. Pictured above is the EAS logo

The researcher said that ‘multiple vulnerabilities and issues (confirmed by other researchers) haven’t been patched for several years and snowballed into a huge flaw.’

When asked what can be done after successful exploitation, Pyle told Bleeping Computer: ‘I can easily obtain access to the credentials, certs, devices, exploit the web server, send fake alerts via crafts message, have them valid / pre-empting signals at will. I can also lock legitimate users out when I do, neutralizing or disabling a response.’

Pyle also spoke about the lack of information regarding this vulnerability. 

‘Public safety and cybersecurity are more important than social media likes and sensationalism. I do the right thing regardless of whether people are looking or not,’ Pyle added.

The EAS is a national public warning system that allows the president or state and local officials to deliver crucial information to citizens in case of a federal or local emergency – such as a weather event, imminent threats to public safety or even AMBER alerts.

Alerts can be delivered via multiple communication channels simultaneously, including AM, FM and satellite radio, as well as broadcast, cable and satellite TV – in order to reach the largest number of people. 

They can also interrupt TV programming or be sent as mass text messages. 

Federal officials have warned in the past that hackers could exploit the EAS in order to hijack it for malicious purposes.  

‘Public safety and cybersecurity are more important than social media likes and sensationalism. I do the right thing regardless of whether people are looking or not,’ Pyle said

Source: Read Full Article