Aug 5 — In the US, the Department of Homeland Security (DHS) has issued a warning concerning critical security vulnerabilities in unpatched Emergency Alert System (EAS) encoder/decoder devices. Systems may be able to distribute fake emergency alerts via TV and radio networks.
Critical flaws: Emergency Alert System
“We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network),” stated the DHS.
EAS vulnerability information
In coming weeks, this vulnerability will be demonstrated to a large audience during a security conference. In the interim, the US agency known as FEMA instructed all participants in the EAS system to mitigate this flaw. Their recommendations are as follows:
- EAS participants should remain up-to-date with the most recent software versions and security patches.
- EAS systems should be protected by firewalls.
- EAS systems should be monitored and audit logs should be kept.
- EAS IT managers should conduct regular reviews of audit logs to identify possible unauthorized access.
Security expert Ken Pyle, the researcher who uncovered this critical issue, states that multiple vulnerabilities and issues within the EAS system, as confirmed by other researchers, have not been patched in years. As a result, these smaller flaws are currently being grouped together and referred to as a huge vulnerability.
In the event that a cyber adversary were to exploit these flaws, the adversary would gain access to credentials, certifications, devices, web servers, and -as noted previously- the ability to send fake alerts to the American public.
Security researchers, security engineers and federal agencies are working to resolve the issue prior to releasing additional technical information.
What is the Emergency Alert System?
The US Emergency Alert System (EAS) is designed to function as a public warning system that permits the President or state and local authorities to share critical information in the event of an emergency. By and large, this system is used to distribute weather info, imminent threat information, or AMBER alerts.
The system can also be used to send national-level alerts, provided that the President requires that the alert have nationwide reach. EAS alerts are delivered through multiple communication channels simultaneously; satellite radio, broadcast, cable, text message and satellite TV.
They interrupt existing radio and television programming to broadcast emergency alert information. Text message can be delivered with our without audio attachments.
For more on this story, click here. For additional cyber security insights, see CyberTalk.org’s whitepapers. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.