The Department of Homeland Security (DHS) issued a warning that hackers might abuse critical weaknesses in Emergency Alert System (EAS) encoder/decoder devices that haven’t been patched in order to send bogus emergency notifications over TV and radio networks.
What is the Emergency Alert System (EAS)?
The Emergency Alert System (EAS) is a national warning system in the United States created to enable authorized authorities to communicate emergency alerts and warning messages to the general public through cable, satellite, or broadcast television, as well as both AM/FM and satellite radio.
This system can also be used to deliver national-level warnings if the President deems it necessary for the messages to be broadcast nationwide.
The alert was published by the Department of Homeland Security’s Federal Emergency Management Agency (FEMA) as an advisory sent via the Integrated Public Alert and Warning System (IPAWS).
From the warning:
We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to the most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).
This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.
In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks.
Additionally, the federal agency encouraged all EAS system users to take adequate measures in order to mitigate this security vulnerability by making sure that:
- EAS devices and supporting systems have the most recent software versions and security patches installed.
- EAS devices are protected by a firewall;
- EAS devices and supporting systems are monitored, and audit logs are evaluated on a regular basis in order to detect unauthorized access.
Monroe Electronics Devices Have Many Vulnerabilities and Issues
BleepingComputer has contacted Ken Pyle, a Cyber researcher who found the Monroe Electronics R189 One-Net DASDEC EAS device to have this critical flaw.
According to him, a large number of issues and vulnerabilities that have been confirmed by other specialists have gone unpatched for years and have grown into a significant flaw.
When asked what can be done following successful exploitation, the researcher responded:
I can easily obtain access to the credentials, certs, devices, exploit the web server, send fake alerts via crafts message, have them valid / pre-empting signals at will. I can also lock legitimate users out when I do, neutralizing or disabling a response.
He also clarified why there is so little information concerning this problem, declaring that the priority here is to address the issue before disclosing more details on the matter.
Public safety and cybersecurity are more important than social media likes and sensationalism. I do the right thing regardless of whether people are looking or not.
As per BleepingComputer, Monroe Electronics fixed a maximum severity flaw affecting the same EAS device nearly a decade ago.
Further details on these security vulnerabilities will be provided by Ken Pyle during an IoT Village talk at DEF CON 30 on August 13 from 10 AM to 2:00 PM.