Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

FEMA Urges Patching of Emergency Alert Systems, But Some Flaws Remain Unfixed

The US Federal Emergency Management Agency (FEMA) has issued an advisory urging organizations to ensure that their emergency alert systems are patched, but a researcher says there are no patches for some of the vulnerabilities affecting these systems.

The US Federal Emergency Management Agency (FEMA) has issued an advisory urging organizations to ensure that their emergency alert systems are patched, but a researcher says there are no patches for some of the vulnerabilities affecting these systems.

The emergency alert system (EAS) in the United States enables authorities to broadcast emergency alerts and warning messages — such as ​​weather and AMBER alerts — to the public over TV and radio.

FEMA warned this week in an Integrated Public Alert and Warning System (IPAWS) advisory that vulnerabilities affecting EAS encoder and decoder devices can allow hackers to issue unauthorized alerts over TV, radio and cable networks. This has been known to happen. In 2020, hackers exploited a vulnerable device to issue a false warning of a radiological hazard.FEMA warns of emergency alert system vulnerabilities

The agency noted that Ken Pyle, a researcher at security and incident response firm Cybir, will disclose the vulnerabilities at the DEF CON conference taking place next week in Las Vegas.

Organizations have been urged to ensure that their systems have the most recent updates and security patches, that devices are protected by a firewall, and that the devices and supporting systems are monitored, with logs reviewed regularly for signs of compromise.

While the FEMA advisory does not name impacted products, Pyle told SecurityWeek that he conducted his research on the R189 DASDEC encoder/decoder from Digital Alert Systems, formerly Monroe Electronics. The researcher acquired the device from eBay.

He plans on showing at DEF CON that the devices are unencrypted, implemented poorly, they reuse keys, and their software is highly insecure, with web application vulnerabilities that put them at risk. The researcher says he has also obtained credentials and metadata on several EAS networks and providers as a result of his analysis.

Pyle also warns that many stations leave the affected devices exposed on the internet — as shown by a Shodan search — making it easier for hackers to exploit vulnerabilities.

The researcher started reporting vulnerabilities to Digital Alert Systems in 2019 and informed the company about some additional issues this year.

Advertisement. Scroll to continue reading.

However, Pyle is not happy with Digital Alert Systems’ vulnerability disclosure process. He says some of the flaws have been patched, but no CVE identifiers were assigned.

FEMA’s alert suggests that installing the latest update on the EAS encoder can prevent abuse, but Pyle claims it does not, as there are problems that the vendor has not fixed or cannot fix, including issues related to practices, implementation and design.

The researcher says the vendor is downplaying the severity of his findings, but the company does not even have the full picture.

“I haven’t fully disclosed all of my research to them due to lack of cooperation and communications,” the researcher told SecurityWeek.

“They’ve said publicly that my work is old / outdated. It is not. I can prove this and will,” he added.

Cybersecurity researchers have been finding vulnerabilities in EAS products from Digital Alert Systems for at least a decade.

SecurityWeek has reached out to the company for comment and will update this article if it responds.

Related: Presidential Phone Alerts Can Be Spoofed, Researchers Say

Related: Hackers Broadcast Zombie Apocalypse Alert on US TV

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.