The US Federal Emergency Management Agency (FEMA) has issued an advisory urging organizations to ensure that their emergency alert systems are patched, but a researcher says there are no patches for some of the vulnerabilities affecting these systems.
The emergency alert system (EAS) in the United States enables authorities to broadcast emergency alerts and warning messages — such as weather and AMBER alerts — to the public over TV and radio.
FEMA warned this week in an Integrated Public Alert and Warning System (IPAWS) advisory that vulnerabilities affecting EAS encoder and decoder devices can allow hackers to issue unauthorized alerts over TV, radio and cable networks. This has been known to happen. In 2020, hackers exploited a vulnerable device to issue a false warning of a radiological hazard.
The agency noted that Ken Pyle, a researcher at security and incident response firm Cybir, will disclose the vulnerabilities at the DEF CON conference taking place next week in Las Vegas.
Organizations have been urged to ensure that their systems have the most recent updates and security patches, that devices are protected by a firewall, and that the devices and supporting systems are monitored, with logs reviewed regularly for signs of compromise.
While the FEMA advisory does not name impacted products, Pyle told SecurityWeek that he conducted his research on the R189 DASDEC encoder/decoder from Digital Alert Systems, formerly Monroe Electronics. The researcher acquired the device from eBay.
He plans on showing at DEF CON that the devices are unencrypted, implemented poorly, they reuse keys, and their software is highly insecure, with web application vulnerabilities that put them at risk. The researcher says he has also obtained credentials and metadata on several EAS networks and providers as a result of his analysis.
Pyle also warns that many stations leave the affected devices exposed on the internet — as shown by a Shodan search — making it easier for hackers to exploit vulnerabilities.
The researcher started reporting vulnerabilities to Digital Alert Systems in 2019 and informed the company about some additional issues this year.
However, Pyle is not happy with Digital Alert Systems’ vulnerability disclosure process. He says some of the flaws have been patched, but no CVE identifiers were assigned.
FEMA’s alert suggests that installing the latest update on the EAS encoder can prevent abuse, but Pyle claims it does not, as there are problems that the vendor has not fixed or cannot fix, including issues related to practices, implementation and design.
The researcher says the vendor is downplaying the severity of his findings, but the company does not even have the full picture.
“I haven’t fully disclosed all of my research to them due to lack of cooperation and communications,” the researcher told SecurityWeek.
“They’ve said publicly that my work is old / outdated. It is not. I can prove this and will,” he added.
Cybersecurity researchers have been finding vulnerabilities in EAS products from Digital Alert Systems for at least a decade.
SecurityWeek has reached out to the company for comment and will update this article if it responds.