FEMA Warns Of Big Vulnerabilities In US Emergency Alert System

Operational since December 1997, the Emergency Alert System (EAS) is the de facto national warning system in the United States. Originally designed as an emergency communications medium for the President of the United States to address the country via all radio and TV stations during times of national emergency, neither the EAS nor its predecessor — the Emergency Broadcast System — have actually been used for this purpose. In fact, the system has become largely redundant due to the influx of 24-hour news channels and, of late, the advent of social media.

However, the Emergency Alert System has found utility at a regional scale where local agencies use it to issue imminent public safety warnings about threats like severe weather, AMBER alerts, and other civil emergencies. Given that the EAS continues to play a crucial role in disseminating authentic, government-approved information via mainstream media outlets, the system must be free of vulnerabilities to reduce the chances of it being misused. Unfortunately, that doesn't seem to be the case.

A recent bulletin issued by the Federal Emergency Management Agency (FEMA) reveals that the Emergency Alert System is susceptible to cyber-attacks because of a hitherto unknown vulnerability. The vulnerability will be demonstrated as a proof of concept at the upcoming DEFCON 2022 conference.

How vulnerable is the Emergency Alert System?

The FEMA advisory reveals that the exploit was first reported by Ken Pyle, a security researcher at CYBIR. In 2019, he reported these vulnerabilities to Digital Alert Systems, a firm that makes the emergency-alert software, following which the company issued a security patch to fix the issue. However, not every system running the software has been updated to the newest version.

Meanwhile, CNN reports that the vulnerability could potentially let a hacker take control and broadcast fake messages over the system. FEMA has come across compelling evidence pointing towards this vulnerability. Thankfully, the vulnerability only seems to affect a select number of encoder/decoder devices in possession of EAS participants, which have not been updated to recent software versions.

The FEMA advisory recommends taking three key steps to prevent the vulnerability from being exploited. While the first step is to get all EAS devices up to date with the most recent software versions, additional steps include these devices being protected by a firewall and robust security mechanisms. As an additional line of defense, FEMA also recommends that EAS devices are continuously monitored with regular audits to ensure no unauthorized access becomes possible.

At this stage, it is unclear how many systems that are part of the Emergency Alert System are affected by this vulnerability. The CNN report, however, does quote Ed Czarnecki, the vice president of global and government affairs digital Alert Systems, who confirms that a majority of the systems have been patched.