The US DHS warns of critical security vulnerabilities in Emergency Alert System (EAS) encoder/decoder devices.
The Department of Homeland Security (DHS) warned of critical security vulnerabilities in Emergency Alert System (EAS) encoder/decoder devices. Threat actors could exploit the flaws to send fake emergency alerts via TV, radio networks, and cable networks.
The Emergency Alert System (EAS) is a national public warning system that requires radio and TV broadcasters, cable TV, wireless cable systems, satellite and wireline operators to provide the President with the ability to address the American people within 10 minutes during a national emergency.
The alert was issued by the DHS Federal Emergency Management Agency (FEMA) through the Integrated Public Alert and Warning System (IPAWS).
The vulnerabilities in EAS encoder/decoder devices were discovered by security researcher Ken Pyle from CYBIR.
“We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).” reads the advisory. “This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.”
The US DHS did not disclose details about the flaw to prevent active exploitation in the wild.
The researcher plans to disclose as a proof of concept for the issues at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.
FEMA recommends EAS participants to ensure that:
- EAS devices and supporting systems are up to date with the most recent software versions and security patches;
- EAS devices are protected by a firewall;
- EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Emergency Alert System)