FEMA issues warning to emergency alert system managers that devices could be hacked
The Federal Emergency Management Agency (FEMA) issued a warning this week to participants in the emergency alert system (EAS) that vulnerabilities can be used to allow threat actors to issue alerts over TV, radio, and cable networks.
EAS allows the federal government, the president or state-level officials to send out emergency warnings about potential weather issues or AMBER alerts for missing children. The alerts are typically sent over broadcast, cable, and satellite TV as well as radio channels and other outlets.
FEMA said the public warning system requires radio and TV broadcasters, cable TV, wireless cable systems, satellite and wireline operators “to provide the President with capability to address the American people within 10 minutes during a national emergency.”
FEMA did not specify the issues in the warning system but said they are found in EAS encoder/decoder devices that have not been updated to the most recent software versions.
Bennet Kobb, a spokesperson for FEMA, told The Record that the notice did not pertain to wireless emergency alerts on phones and only focused on EAS devices in radio and TV stations and cable facilities.
Sent through the Integrated Public Alert and Warning System, the FEMA notice said exploitation of the system has been demonstrated by CYBIR.com security researcher Ken Pyle and noted that Pyle will present a proof of concept at the DEFCON 2022 conference in Las Vegas next week.
“In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks,” FEMA said.
FEMA strongly encouraged EAS participants to make sure that their devices and supporting systems are up to date with all security patches and protected by a firewall. They also asked that all EAS devices and supporting systems are monitored and audit logs are “regularly reviewed looking for unauthorized access.”
FEMA Press Secretary Jeremy Edwards said the agency is working with the Federal Communications Commission (FCC), to assist “broadcast partners to help correct this issue.” Edwards added that the vulnerability does not directly impact any of FEMA’s systems.
Despite having sent out the initial warning about the issues with EAS, FEMA said it is the FCC’s Public Safety and Homeland Security Bureau that is in charge of regulating the alert system and is responsible for broadcaster compliance.
A spokesperson for the FCC said as of December, there were approximately 25,644 EAS participants in the United States and its territories.
The FCC also published its own alert on Friday with much of the same information released by FEMA.
“EAS Participants must ensure that their EAS equipment’s monitoring and transmitting functions are available whenever the stations and systems are operating. [The FCC] has previously warned EAS Participants about this vulnerability and encouraged them to secure their EAS equipment by installing current security patches and using firewalls,” the FCC notice said.
“The Bureau again urges all EAS Participants, regardless of the make and model of their EAS equipment, to upgrade their equipment software and firmware to the most recent versions recommended by the manufacturer and secure their equipment behind a properly configured firewall as soon as possible.”
The agency added that any organization that fails to receive or transmit EAS messages during national tests or actual emergencies because of an equipment failure “may subject the EAS Participant to enforcement.”
When contacted for comment, Pyle told The Record that he was also unsure of how many EAS participants there are but noted that more information will be coming out about the issue soon.
“Part of the reason this snowballed, [is that] it has never been fixed correctly. [It] is the shadow IT problem. This is an ‘everyone’ problem,” Pyle said, noting that FEMA representative Mark Lucero was very responsive and worked closely with him to address the issues.
Lucero told CNN that there is no evidence the vulnerabilities have been exploited.
But Pyle noted that FEMA doesn’t actually manage the systems because they are administered and run by local stations, authorities and affiliates.
“One of the problems is these are everywhere, anyone can launch an alert with the right access… even by accident,” he explained. “No one can or will tell you what the patch status is… but they will definitely say it’s not zero. That uncertainty should terrify you.”
He was also unsure if any CVEs have been created in relation to the issues he discovered but said he requested the manufacturer register in 2019 for old issues and it never occurred.
While he expressed hope that some CVEs will be created now, he noted that some of the issues he found wouldn’t be CVEs “because they’re design flaws, abuse of functionality, or poor and lax practices endemic to every organization.”
“You can’t just patch this away. This is a problem no one will own until it’s unavoidable,” he said.
When asked how he discovered the issue, Pyle said he would discuss it at a later date because it “gives away the problem.” All of the issues he discovered would be rated critical, he added, noting that when they are all rolled together, that is where the issues arise.
“What got me to talk more was the events of Jan 6th and the Ukraine. If I can do this… anyone can and they won’t be so ethical,” Pyle said.
“Worst case? What if I issued a civil alert on Jan 6th or when Russia was invading Ukraine?” he added.