- Federal Emergency Management Agency of the US warned about certain vulnerabilities discovered in the US Emergency Alert System.
- The vulnerabilities could allow a remote malicious user to broadcast false alerts to the US nationwide via network devices.
- The US Emergency Alert system is mainly created to allow the President of the United States to address the country via all radio and television stations in the event of a national emergency.
Federal Emergency Management Agency (FEMA) published a bulletin informing about certain vulnerabilities found in Emergency Alert System (EAS) encoder/decoder devices that allow an actor to broadcast emergency alerts via television, radio, and cable network.
Details are not available yet
The vulnerabilities were found by Ken Pyle, a security researcher at CYBIR. The exact details of the bugs were not disclosed by FEMA. However, the reports suggest that the security holes are present in the Monroe Electronics R189 One-Net DASDEC EAS device which makes it easier for remote malicious actors to hijack the networks. FEMA did not unveil whether any abuse has occurred because of the vulnerabilities so far, either. Federal Emergency Management Agency (FEMA) said;
« In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks. »
The Alert system service is run by FEMA on the federal level together with its partners, the Federal Communications Commission (FCC) and National Oceanic and Atmospheric Administration. The system is mainly created to allow the President of the United States to address the country via all radio and television stations in the event of a national emergency. It is connected to radio and TV broadcasters, cable TV, wireless cable systems, satellite, and wireline operators. It can be used for extreme weather events to AMBER alerts. The alerts are delivered via the Integrated Public Alert and Warning System (IPAWS).
FEMA stated that the further details may be disclosed as proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14. It urged EAS participants to ensure that the devices and supporting systems are up to date with the most recent software versions and security patches, devices are protected by a firewall as well as devices are monitored and audit logs are regularly reviewed to look for illegal access.