The US Department of Homeland Security warns of vulnerabilities in the national emergency broadcast network that could allow hackers to send false alerts through radio and TV stations.
“We have recently become aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to the most recent software versions, could allow an actor to issue EAS alerts through the host infrastructure (TV, radio, cable network) ),” says the DHS federal government. Emergency Management Agency (FEMA) warned. “This exploit has been successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.”
Pyle told reporters at CNN and Bleeping Computer that the vulnerabilities reside in the Monroe Electronics R189 One-Net DASDEC EAS, an encoder and decoder of the Emergency Alert System. TV and radio stations use the equipment to send emergency alerts. The researcher told Bleeping Computer that “multiple vulnerabilities and issues (confirmed by other researchers) have not been patched for several years and snowballed into a huge bug.”
When asked what can be done after successful exploitation, Pyle said, ‘I can easily access the credentials, certificates, devices, exploit the web server, send fake alerts via craft message, give them valid/preemptive signals at will. I can also lock out legitimate users when I do that, neutralizing or disabling a comment,” Bleeping Computer added.
This isn’t the first time federal officials have warned about vulnerabilities in the emergency alert system.