US Emergency Alert System Has ‘Huge Flaw’ — Broadcasters Must Patch NOW

The Emergency Alert System (EAS) run by FEMA and the FCC is vulnerable to hacking. Imagine the vast potential for panic and chaos if a fake alert was widely broadcast.

Monroe Electronics and its d/b/a, Digital Alert Systems, are accused of sloppy software—plus poor patching. All will be revealed next week at DEF CON 30.

This is not a test. In today’s SB Blogwatch, we fear a real emergency.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Styles vs. Harket.

EAS FAIL: FEMA IPAWS

What’s the craic? Sean Lyngaas reports—“FEMA warns emergency alert systems could be hacked to transmit fake messages”:

We take all security reports very seriously
Vulnerabilities in software that TV and radio networks around the country use to transmit emergency alerts could allow a hacker to broadcast fake messages over … the national system that state and local officials use to send urgent alerts about natural disasters or child abductions … over TV, radio and cable networks. … The agency this week urged operators of the devices to update their software to address the issue.

Ken Pyle, the cybersecurity researcher who discovered the issue, [said] he acquired several of the EAS devices independently and found poor security controls. … TV and radio networks own and operate the equipment.

Digital Alert Systems, Inc., the New York-based firm that makes the emergency-alert software, said that Pyle first reported the vulnerabilities to the firm in 2019, at which time the firm issued updated software. … However, Pyle [said] subsequent versions of the Digital Alert Systems software were still susceptible to some of the security issues.

“We take all security reports very seriously,” [said] Ed Czarnecki, Digital Alert Systems’ vice president.

You do? Well, that’s alright then. Sergiu Gatlan dives deeper—“DHS warns of critical flaws”:

Snowballed into a huge flaw
Ken Pyle [is] the Cybir researcher who discovered this critical issue in the Monroe Electronics R189 One-Net DASDEC EAS device. … (Monroe Electronics [is] now doing business as Digital Alert Systems.)

[He said] multiple vulnerabilities and issues (confirmed by other researchers) haven’t been patched for several years and snowballed into a huge flaw. [He] will share further information on these vulnerabilities in an IoT Village talk at DEF CON 30, on August 13.

The warning was issued by DHS’ Federal Emergency Management Agency (FEMA) as an advisory delivered through the Integrated Public Alert and Warning System (IPAWS): “We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network). … The vulnerability is public knowledge and will be demonstrated to a large audience.”

And Dan Goodin sets the Wayback machine—“Hackers can disrupt legit warnings or issue fake ones of their own”:

Imminent zombie apocalypse
This isn’t the first time federal officials have warned of vulnerabilities in the emergency alert system. [In 2013, a] remote takeover vulnerability … affected the DASDEC-I and DASDEC-II application servers made by … Digital Alert Systems. It stems from a recent firmware update that mistakenly included the private secure shell (SSH) key. … Other advisories [warn] against vulnerabilities in the One-Net E189 Emergency Alert System device sold by Digital Alert Systems’ parent company Monroe Electronics.

The warnings come five months after hackers took over the emergency alert system [in] Montana … Michigan, California, Tennessee, and New Mexico. [They] broadcast a bogus emergency bulletin warning TV viewers of an imminent zombie apocalypse: … ”Civil authorities in your area have reported that the bodies of the dead are rising from the grave and attacking the living,” at least one of the prank messages said.

What can be done? If you run a TV or radio station, a cable company or broadcast satellite uplink, heed the “IPAWS Advisory”:

We value our partnership with broadcasters and appreciate your efforts to maintain public trust and confidence in the Emergency Alert System. … FEMA strongly encourages EAS participants to ensure that:

    • EAS devices and supporting systems are up to date with the most recent software versions and security patches;
    • EAS devices are protected by a firewall;
    • EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.

Are you feeling some déjà vu? Ralf The Dog is:

A few decades ago … all the digital signs in Dallas Texas showed, “Zombie Alert. Run for your lives.”

And so is u/Un-Scammable:

Hawaii is happy about this after last time.

Ah, but those were different systems. Please allow jpyuda to explain:

I actually know a bit about this from my job (I do not work on it directly). First, this is the Emergency Alert System, which is just TV and radio (including satellite) [not] the Wireless Emergency Alerts (WEA) system. They are part of the same over-arching system, called IPAWS, but they’re separate from a technical standpoint.

What a mess. u/InevitablyPerpetual imagines the scene:

“Sir, there’s a problem.”
“What’s the issue?”
“The hosting for the alert system. … Well, sir, Geocities went out of business.”
“… Dear God. …”

We’re so screwed. But it’s not news to jranson:

Sadly this has been a known entity for a very long time. Any cable operator can tell you that it’s a miracle EAS’s are not regularly spoofed. Any coder who is even just a step above script kiddie can spend a weekend researching and come away with the ability to anonymously/untraceably trigger an EAS for an entire DMA, so long as they are in radio vicinity of a receiver used by nearly all broadcasters.

Meanwhile, best ignore u/BestDogeGrafy32:

Anyone for a hack that leads to an end-of-the-world warning that sends the population into a savage, murderous frenzy?

And Finally:

It was on Me

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi