FEMA, FCC warn emergency alert system vulnerable to hacking
Hackers can use the U.S. Emergency Alert System to issue TV, radio and cable network alerts if encoder and decoder device software isn’t properly updated, the Federal Emergency Management Agency warned system participants.
FEMA issued an advisory to broadcasters after learning the exploit may be demonstrated to a large audience at the DEF CON hacking conference in Las Vegas that runs Aug. 11-14, 2022.
CYBIR.com security researcher Ken Pyle discovered the vulnerability, prompting FEMA to encourage Emergency Alert System (EAS) participants to update devices and supporting systems with the most recent software versions and patches, protect them with firewalls, and monitor them and review audit logs for unauthorized access.
“We value our partnership with broadcasters and appreciate your efforts to maintain public trust and confidence in the Emergency Alert System,” reads the IPAWS advisory issued Aug. 1.
The Federal Communications Commission issued a similar notice Friday, stating its Public Safety and Homeland Security Bureau had previously warned communications providers about the exploit. EAS participants should upgrade equipment software and firmware regardless of the make and model, according to the notice.
The FCC additionally advised EAS participants to change default passwords; review the recommendations for addressing potential data security vulnerabilities made by the Communications Security, Reliability, and Interoperability Council in 2014; and contact their equipment manufacturers with security questions.
“The commission emphasizes that, under its rules, EAS participants are ‘responsible for ensuring that EAS encoders, EAS decoders, attention signal-generating and -receiving equipment, and intermediate devices used as part of the EAS … are installed so that the monitoring and transmitting functions are available during the times the stations and systems are in operation,'” reads the notice. “The commission’s rules establish that failure to receive or transmit EAS messages during national tests or actual emergencies because of an equipment failure may subject the EAS participant to enforcement.”