For the unversed, EAS is a national warning system in the United States designed to allow authorized officials to broadcast emergency alerts and warning messages to the public via cable, satellite, or broadcast television, and both AM/FM and satellite radio. “We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network),” the DHS’s Federal Emergency Management Agency (FEMA) said in an advisory delivered through the Integrated Public Alert and Warning System (IPAWS). “This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14. “In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks.” To safeguard against such exploits, FEMA has strongly encouraged its EAS participants to ensure that:
EAS devices and supporting systems are up to date with the most recent software versions and security patches; EAS devices are protected by a firewall; EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.
Ken Pyle, the cybersecurity researcher who discovered the issue told Bleeping Computer that the vulnerabilities lie in the Monroe Electronics R189 One-Net DASDEC EAS, which is an EAS encoder and decoder device used by TV and radio stations to broadcast emergency alerts. According to the researcher, the issue has now ballooned into a huge flaw because multiple vulnerabilities and issues (confirmed by other researchers) have not been patched for several years. “When asked what can be done after successful exploitation, Pyle said: ‘I can easily obtain access to the credentials, certs, devices, exploit the web server, send fake alerts via crafts message, have them valid / pre-empting signals at will. I can also lock legitimate users out when I do, neutralizing or disabling a response,’” Bleeping Computer added. Pyle did not provide any details regarding the issue but said that the main concern is to lessen the problem before releasing any further information. “Public safety and cybersecurity are more important than social media likes and sensationalism. I do the right thing regardless of whether people are looking or not,” Pyle added. It’s unclear how many EAS devices are affected by the vulnerable software.