The Department of Homeland Security (DHS) warned that attackers could exploit critical security vulnerabilities in unpatched Emergency Alert System (EAS) encoder/decoder devices to send fake emergency alerts via TV and radio networks.
The warning was issued by DHS’ Federal Emergency Management Agency (FEMA) as an advisory delivered through the Integrated Public Alert and Warning System (IPAWS).
“We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network),” the DHS agency said.
“This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.
“In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks.”
FEMA also urged all participants in the EAS system to adequately mitigate this flaw by ensuring that their EAS devices are:
- up to date with the most recent software versions and security patches;
- protected by a firewall;
- monitored and audit logs are regularly reviewed looking for unauthorized access.
Multiple flaws and issues in Monroe Electronics devices
BleepingComputer also spoke with Ken Pyle, the Cybir researcher who discovered this critical issue in the Monroe Electronics R189 One-Net DASDEC EAS device.
He told BleepingComputer that multiple vulnerabilities and issues (confirmed by other researchers) haven’t been patched for several years and snowballed into a huge flaw.
When asked what can be done after successful exploitation, Pyle said: “I can easily obtain access to the credentials, certs, devices, exploit the web server, send fake alerts via crafts message, have them valid / pre-empting signals at will. I can also lock legitimate users out when I do, neutralizing or disabling a response.”
Pyle also explained the lack of info regarding this issue, saying that the main concern is to mitigate the problem before releasing more details.
“Public safety and cybersecurity are more important than social media likes and sensationalism. I do the right thing regardless of whether people are looking or not,” Pyle added.
Almost a decade ago, Monroe Electronics (now doing business as Digital Alert Systems) patched a maximum severity vulnerability impacting the same EAS device (tracked as CVE-2013-4735).
If left unpatched, remote attackers can exploit it to gain root access and spoof alerts via an SSH session by taking advantage of a shared private root SSH key exposed in publicly available firmware images.
Pyle will share further information on these vulnerabilities in an IoT Village talk at DEF CON 30, on August 13, between 10 AM and 02 PM.
What is the Emergency Alert System?
EAS is a U.S. national public warning system that allows the president or state and local authorities to deliver critical information in case of federal or local emergency (e.g., weather info, imminent threats, or AMBER alerts) and when all other means of alerting the public are unavailable.
This system can also be used to send national-level alerts provided that the President considers it necessary that the messages should have a nationwide reach.
EAS alerts are delivered via IPAWS through multiple communication channels simultaneously, including AM, FM, and satellite radio, as well as broadcast, cable, and satellite TV, to reach as many people as possible.
They can also interrupt radio and television programming to broadcast emergency alert information and can be delivered as text messages with or without audio attachments.