The US government is warning of critical vulnerabilities in its Emergency Alert System (EAS) systems that, if exploited, could enable intruders to send fake alerts out over television, radio, and cable networks.

The Department of Homeland Security (DHS) said in an advisory it was recently informed about the flaws in EAS encoder and decoder devices, adding that they were successfully exploited by Ken Pyle, a security researcher at cybersecurity firm CYBIR. There is a sense of urgency to the advisory because the exploit “may” be presented, with proof of concept code, at the DEF CON conference in Las Vegas next week.

“In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks,” the agency wrote in the advisory, which was issued this week by DHS’ Federal Emergency Management Agency (FEMA).

The DHS is urging organizations that operate the EAS to ensure that their devices and supporting systems are updated with the most recent software versions and security patches, are protected by a firewall, and are monitored, with audit logs being regularly reviewed to ensure there is no unauthorized access.

The exact nature of the security flaws was not disclosed by Homeland Security. However, it’s reported that the holes are present in the Monroe Electronics R189 One-Net DASDEC EAS device, and this can be remotely compromised to send out fake alerts, lock out legit users, and cause other damage.

EAS has far-reaching capabilities nationally and locally, though it’s probably best known for the irritating regular tests that loudly interrupt TV and radio broadcasts. The service on the federal level is run by FEMA and its partners, including the Federal Communications Commission (FCC) and National Oceanic and Atmospheric Administration.

The system is designed to ensure that the president can address US citizens within 10 minutes during a national emergency and requires that radio and TV broadcasters, cable TV, wireless cable systems, satellite, and wireline operators ensure that can happen.

State and local officials also can use the system during emergencies, which can range from extreme weather events to AMBER alerts. The alerts are delivered via the Integrated Public Alert and Warning System (IPAWS).

IPAWS for thought

The security industry can expect more such vulnerabilities to be found and exploited as more systems are interconnected, particularly at such a large scale, according to Erich Kron, security awareness advocate at security awareness training firm KnowBe4.

“In a case such as this that impacts emergency notifications, it may be easy to think that no real harm could come from a false alarm,” Kron told The Register. “However, history proves that is not true.”

He pointed to the takeover of the Associated Press’ Twitter account in 2013, when a bogus tweet on the account reported there had been two explosions at the White House that injured President Obama. The message panicked people and sent the Dow Jones Industrial Average plunging 150 points as it was retweeted.

Then-White House Press Secretary Jay Carny quickly reassured the country that nothing had happened and that President Obama was not hurt, and the stock market went back to normal within six minutes after the initial tweet.

A group that called itself the Syrian Electronic Army, which backed Syrian President Bashar al-Assad, would later claim responsibility for the attack, according to reports.

Interesting side note: The Syrian Electronic Army years and years ago tried to hack into The Register‘s homegrown publishing system using a phishing email to one of our reporters. The message purported to come from one of our editors, and had a link to a page that looked just like our login process to harvest the username and password.

The biggest giveaway was that the email was far too cheery for that editor to have sent it, and the scam was rumbled. It also spurred us to add multi-factor authentication and other protections.

In 2018, a ballistic missile alert in Hawaii was accidently issued over the EAS and Wireless EAS via TV, radio, and cellphones. The alert claimed there was an incoming missile aimed at the state and urged residents to seek shelter. People panicked, phone systems were overloaded, and highways clogged, Kron said.

The accidental alert was the result of a miscommunication during a drill at Hawaii’s Emergency Management Agency.

“Even false alerts such as these have real world impact, and at the very least dissolve public faith in these critical systems,” he said. Kron said organizations involved with these systems should regularly patch these systems as a normal part of operations.

“While patching has been known to cause problems in IT systems, a mature and well-designed patch management program can ensure that any problems caused can be easily rolled back and the system kept online until a mitigation to the problem is found,” he said. “It is simply too important for these systems to be working and secure to not keep them up to date with security patches.” ®