Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Hackers Can Exploit US Emergency Alert System Flaws to Fake Warnings

These alerts include emergency warnings that are displayed or announced by interrupting the TV and radio broadcasts.

The US Department of Homeland Security has released a warning informing the nation about critical vulnerabilities in the country’s emergency broadcast network, the Emergency Alert System (EAS). The vulnerabilities were found in the non-updated EAS encoder/decoder devices.

If the latest firmware/software versions arent installed, hackers can issue bogus EAS alerts over the “host infrastructure (TV, radio, cable network).”

EAS is a national public warning system that lets state authorities disseminate information within ten minutes after acknowledging an emergency. The alerts are issued after interrupting the TV and radio broadcasts. 

Hackers Can Exploit Flaws in US Emergency Alert System to Fake Warnings
Security Advisory issued by Federal Emergency Management Agency (FEMA)

Details of the exploit

According to the Federal Emergency Management Agency of the DHS, the exploit was demonstrated by CYBIR’s security researcher Ken Pyle. Pyle explained that the exploits were found in the Monroe Electronics R189 One-Net DASDEC EAS. This equipment is used to transmit emergency alerts. If left unpatched, a threat actor can easily issue false emergency alerts and create chaos in public. 

Successful exploitation can let adversaries access the credentials, devices, certificates, and web server. They can exploit the server, deliver bogus alerts through crafts messages, and make them validate/pre-empt signals. Pyle said he could also lock legit users out at will and neutralize/disable a response.

Pyle has been credited for discovering the flaw, but its details are currently kept under wraps to prevent malicious actors from exploiting the flaws. The department also mentioned in the warning notice that the exploit will be presented as a PoC (proof of concept) at the DEFCON 2022 conference. The event will be held between August 11 and 14 in Las Vegas. 

The department recommends that relevant participants update the EAS devices and install the latest software versions, use firewalls, and audit/monitor review logs to detect unauthorized access timely to mitigate the threat.

Related News

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

German politicians and political parties have been using data about Facebook users’ political preferences to deliver microtargeted advertisements, a watchdog…
Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Companies in every industry continue to leave backup and storage platforms unsecured, with more than a dozen issues, including insecure network…
The Board of Directors Will See You Now

The Board of Directors Will See You Now

For more than 15 years, the cybersecurity industry has been talking about communicating with the board of directors. It’s common…