The Department of Homeland Security has issued an advisory after vulnerabilities were found in its Emergency Alert Systems (EAS).
EAS technology is designed to fire out warning messages during times of national emergency. It can be used to warn of coastal flooding, earthquakes, child abduction, evacuations, and more, via multiple channels, including TV, SMS, and radio. If people are able to tamper with these systems, they can send false alerts. This is incredibly serious and could cause widespread panic, disruption, even injury or loss of life.
The advisory reads as follows:
We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).
This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.
In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks.
The advice for anyone maintaining an EAS:
Ensure devices and supporting systems have the most recent software versions and security patches.
Protect devices with a firewall.
Monitor EAS devices and supporting systems and review audit logs regularly for unauthorized access.
Sadly, this kind of thing isn’t remotely new. Multiple high-profile alert-related compromises and accidents have happened in recent years. If you thought this would all be sorted out by now, you’d be mistaken.
Tipping points that didn’t tip
In 2020, an individual using the handle Virtrux claimed there were "thousands of open access methods to both the US and Canadian Emergency Alert Systems". Port scanning systems frequently used for emergency alerts revealed keywords that were potentially used for the alerts. From there, the attacker was able to grab service/default passwords via a splash of social engineering.
In November, 2020, virtrux tweeted images which appeared to show they had access to a system that allowed them to generate an EAS message.
What would you send to everyone in the United States? @thugcrowd pic.twitter.com/jkQwfmPem6— virtrux (j3ws3r) (@virtrux) November 23, 2020
Consider the chaos generated back in 2018 when an alert in Hawaii regarding an incoming missile was sent in error. Think of the sheer bedlam someone with full access to custom messages could generate with a few clicks of a keyboard.
Now wind forward to the present day and realise that we still have a long way to go.
Accidents, incidents, and shenanigans
Just last month, Spanish police arrested individuals suspected of tampering with a system used to monitor gamma radiation levels. In 2019, Australia’s early warning system for dangerous weather was compromised. On a related note, signs used to warn of bad weather or crashes on highways are notoriously easy to hijack. Even the humble traffic light doesn’t escape from the gravitational pull of unauthorised access.
As long as default settings and a lack of patching exists, it is hard to see these problems going away. The big question is what do authorities have in place as a backup if their emergency notifications go horribly wrong?