Hackers Can Exploit US Emergency Alert System Flaws to Fake Warnings

****These alerts include emergency warnings that are displayed or announced by interrupting the TV and radio broadcasts.****

The US Department of Homeland Security has released a warning informing the nation about critical vulnerabilities in the country’s emergency broadcast network, the Emergency Alert System (EAS). The vulnerabilities were found in the non-updated EAS encoder/decoder devices.

If the latest firmware/software versions arent installed, hackers can issue bogus EAS alerts over the “host infrastructure (TV, radio, cable network).”

EAS is a national public warning system that lets state authorities disseminate information within ten minutes after acknowledging an emergency. The alerts are issued after interrupting the TV and radio broadcasts.

Security Advisory issued by Federal Emergency Management Agency (FEMA)

• Authorities Suspect Cyber Attack Behind False Rocket Sirens in Israel
• Panic after hackers take control of emergency tornado alarms in Texas
• Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages
• Hackers can take over & control emergency alarm system with a $35 radio
• TV broadcasts in California interrupted to show the “end of the world” alert

Details of the exploit

According to the Federal Emergency Management Agency of the DHS, the exploit was demonstrated by CYBIR’s security researcher Ken Pyle. Pyle explained that the exploits were found in the Monroe Electronics R189 One-Net DASDEC EAS. This equipment is used to transmit emergency alerts. If left unpatched, a threat actor can easily issue false emergency alerts and create chaos in public.

Successful exploitation can let adversaries access the credentials, devices, certificates, and web server. They can exploit the server, deliver bogus alerts through crafts messages, and make them validate/pre-empt signals. Pyle said he could also lock legit users out at will and neutralize/disable a response.

Pyle has been credited for discovering the flaw, but its details are currently kept under wraps to prevent malicious actors from exploiting the flaws. The department also mentioned in the warning notice that the exploit will be presented as a PoC (proof of concept) at the DEFCON 2022 conference. The event will be held between August 11 and 14 in Las Vegas.

The department recommends that relevant participants update the EAS devices and install the latest software versions, use firewalls, and audit/monitor review logs to detect unauthorized access timely to mitigate the threat.