WE INTERRUPT THIS PROGRAM... —

“Huge flaw” threatens US emergency alert system, DHS researcher warns

Hackers can disrupt legit warnings or issue fake ones of their own.

Dan Goodin - 8/5/2022, 12:32 AM

Enlarge

The US Department of Homeland Security is warning of vulnerabilities in the nation’s emergency broadcast network that makes it possible for hackers to issue bogus warnings over radio and TV stations.

“We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to the most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network),” the DHS's Federal Emergency Management Agency (FEMA) warned. “This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.”

Pyle told reporters at CNN and Bleeping Computer that the vulnerabilities reside in the Monroe Electronics R189 One-Net DASDEC EAS, an emergency alert system encoder and decoder. TV and radio stations use the equipment to transmit emergency alerts. The researcher told Bleeping Computer that “multiple vulnerabilities and issues (confirmed by other researchers) haven't been patched for several years and snowballed into a huge flaw.”

“When asked what can be done after successful exploitation, Pyle said: ‘I can easily obtain access to the credentials, certs, devices, exploit the web server, send fake alerts via crafts message, have them valid / pre-empting signals at will. I can also lock legitimate users out when I do, neutralizing or disabling a response,’” Bleeping Computer added.

This isn’t the first time federal officials have warned of vulnerabilities in the emergency alert system.

Promoted Comments

• gavron Ars Scholae Palatinae
  jump to post
  Everyone I know has all alerts turned off -- even weather alerts. Those that don't have them disabled... you see this out in public... the alert hits everyone about the same time and they all roll their eyes and rush to silence the damn phone.
  
  The EBS sucked. The EAS sucks. Nobody gives a rat's ass. DHS should just turn it off.
  
  - NO you can't have 330 million people searching for Amber, taken in an SUV. All cars are SUVs now.
  Amber alerts are 17% effective, 5% hoaxes, and 78% annoyance.
  
  - NO you can't have 330 million people searching for Mr. Silver, driving an SUV. He's got dementia. They left him keep his driver's license, car, car insurance, etc.
  Silver alerts account for a 94% success rate. That's because most of the time the guy is asleep in his own car in his own driveway (or locked the keys outside...)
  
  - NO flash floods in Houston don't matter to those of us NOT IN Houston (or downstream from it).
  Weather alerts have been called 20,000 times in twenty years starting 1996. There are no numbers for how effective this is at all.
  
  There's no "good way" to "alert EVERYBODY" in a way that will lead to positive results. Duck and cover? Get under your schooldesk? Tuck your head between your knees and kiss your sweet ass goodbye?
  
  Time to ditch EAS and do what we do in real life business solution management:
  1. Define the problem.
  2. Propose a solution.
  3. Ensure the solution solves the problem.
  4. Ensure the solution doesn't make things worse overall, has no side effects, and doesn't empower black-hats to overrun the system.
  5. Collect data to verify #3 and #4
  6. Itterate.
  
  E