'Huge Flaw' Threatens US Emergency Alert System, DHS Researcher Warns

An anonymous reader quotes a report from Ars Technica: The US Department of Homeland Security is warning of vulnerabilities in the nation's emergency broadcast network that makes it possible for hackers to issue bogus warnings over radio and TV stations. "We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to the most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network)," the DHS's Federal Emergency Management Agency (FEMA) warned. "This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14."

Pyle told reporters at CNN and Bleeping Computer that the vulnerabilities reside in the Monroe Electronics R189 One-Net DASDEC EAS, an emergency alert system encoder and decoder. TV and radio stations use the equipment to transmit emergency alerts. The researcher told Bleeping Computer that "multiple vulnerabilities and issues (confirmed by other researchers) haven't been patched for several years and snowballed into a huge flaw."

"When asked what can be done after successful exploitation, Pyle said: 'I can easily obtain access to the credentials, certs, devices, exploit the web server, send fake alerts via crafts message, have them valid / pre-empting signals at will. I can also lock legitimate users out when I do, neutralizing or disabling a response,'" Bleeping Computer added.

The flaw is having a DHS at all.

[Revek]

We don't need this fascist crap anymore Break them apart and spend the money on our real problems. We already lost the war in Afghanistan why can't we get rid of the other failures here at home?

Re:

[aaarrrgggh]

After the Hawaiian Missile Crisis [gq.com] I'm not sure I disagree. But then again, the Emergency Broadcast System has proven useful over the years for weather threats and the like.

Re:The flaw is having a DHS at all.

[Revek]

Give it back to NOAA. I was responsible for the alert system at a cable headend and DHS was impossible to deal with on every test. We had problems with the radio stations we had to monitor if the internet alert failed. They ignored the data on every test. Would often have us listed as a successful test as well as the radio station that failed to send a alert. They just penciled it in(lied) and DHS was clueless and utterly unable to catch these lapses. We got way more help from the company that sold us the unit https://www.digitalalertsystem... [digitalalertsystems.com] formerly Monroe electronics than we ever did from DHS. We just added more radio receivers and monitored more radio stations to overcome the local broadcasters ignored failures. I have no doubt that my expericance was the norm.

Re:

[DarnOregonian]

NOAA is too full of do-gooder scientists to allow such a potentially important part of the national infrastructure to be controlled by them.

I managed some EBS systems way back when for a non-public group (long story, can't talk about) and it ended up not being all that important because nobody was using it, but I had a big eye opening experience from it. I got the same vibe from you. When they went EAS and especially when Cheney's cronies took over running everything, you might have just nuked the whole pr

Re:The flaw is having [national security] at all.

[shanen]

Well, better than an AC brain fart as FP, but not that much better. How about if you [Revek] bookmark the FP and establish your Subject, then explain what you mean, especially if you want to use loaded and relatively meaningless words in your comment. By waiting for the reply I think you lost your focus, so yes, I am suggesting that you should have replied to your own FP. (Best we can do with the Slashdot tool as it exists now?)

Also nice if you link it back to the story as summarized on Slashdot. I know it

Re:

[Revek]

Pretentious is a word that was made to describe your post. You have said nothing relevant to the post. Nothing at all. You seem to be focused on my being the first post. When I didn't even notice.

You suggested I didn't read the post and articles. I already had prior to the slashdot post. In fact I had sent the article to the guy currently responsible for the EAS systems I installed. He already knew and they had updated them some time ago.

My follow up was my own personal experience with the DHS bu

Re:

[mysidia]

This isn't the company that manufactured the units fault.

Eh? Of course it's their fault. They delivered defective code with a security vulnerability.

The Update is a repair/mitigation for defective code, But It is still a device manufacturer's fault there was a defect in the code they originally shipped with.

In addition... All too often manufacturers' communication efforts to make sure all units in customers hands containing code with a known defect are clearly Identified and Documented when each u

Re:

[shanen]

The rudeness of the discussion has basically driven me out of it, but I think your comment is confusing moral fault with legal liability.

The dominant principle of software development these days is "Whatever happens to you because of my bad software, my legal liability is limited, preferably to 'none'." Almost surely not a simple shrinkwrap contract in this case, but I'm sure they applied the same principles to the maximum degree possible when they were preparing the contract. I think most of the discredit

Re:

[Revek]

Then you shouldn't have been rude. Choosing to discuss not the content of the article but how I made my first post. How I didn't make it to your standard. How you couldn't reconcile what i said in the first post with the additional information I provided in the second post. Where I talked about a familiarity with the equipment and the company involved. Where you stretched my opinion of DHS and their usefulness into some vague meaningless political commentary. Without once making any point of any kind.

Re:

[shanen]

Oh, so it's RUDE you want. You missed your chance to apologize. Not wasting my time reading farther.

Insofar as I can remember your identity, I'll ignore you. Thank you for reciprocating. Or for dropping dead. No difference that I can detect.

Why would I (or anyone else) care?

Re:

[Revek]

The bleeping computer article specifically says Monroe electronics patched it nine years ago. So if I don't update a server for nine years and it gets taken over that its the fault of the manufacturer? I've spoken to someone who has been in communication DAS about this issue and he didn't seem worried about it. I'm sure there are units out there that have not been patched in that time but that is hardly the fault of the manufacturer. They have no ability to force someone to update their EAS units. DHS s

Re:

[mysidia]

So if I don't update a server for nine years and it gets taken over that its the fault of the manufacturer?

Actually, yes. Ultimately it doesn't matter whether it's day 1 or day 3285 - Purchase is a forever transaction based on their representation that the product does X at the time of sale - the defect is in a product shipped by the manufacturer,
and you could prove that. Software code does not undergo wear-and-tear, so short of a defect in ROM storage: you can assure the code loaded on the unit is

Re:

[shanen]

NAK

Re:

[dsgrntlxmply]

Around 20 years ago I spent much time in a lab with headend equipment, EAS boxes, and a few hundred televisions. One day, during some recurring geopolitical crisis, I heard the EAS tone, looked up, and saw "NATIONAL" scrolling across numerous screens. My heart eventually resumed normal rhythm.

Re:

[Chas]

The DNC can fuck up anything.

Re:

[Chas]

Sorry? Do you have an actual point?

Or are you REALLY stupid enough to try and blame the fuckups of NOW on a TWO DECADE OLD inception?

Re:

[awwshit]

https://www.youtube.com/watch?... [youtube.com]

No flaws when you're drinkin' claws

[Powercntrl]

'Huge Flaw' Threatens US Emergency Alert System

That sounds serious.

radio and TV stations

Oh, had me worried there for a minute. I thought hackers could make emergency alerts pop up somewhere I might actually see them, like on my phone.

Re: No flaws when you're drinkin' claws

[NagrothAgain]

They could, but given that most of the alerts are for parents involved in a custody dispute, most people wouldn't notice.

Better fix it before the next insurrection

[Anonymous Coward]

Just trying to imagine the chaos that would have ensued if the Jan 6th insurrectionists had the ability to lock out the officials and broadcast their own nation-wide emergency instructions and it seems scarier than a nuke.

Re:

[Bruce66423]

Just remember:

''You Can’t Be Pro-Insurrection And Pro-American,' Says President Of Nation Founded By An Insurrection'

https://babylonbee.com/news/yo... [babylonbee.com]

Re:

[Revek]

Relax. They can't do it nationwide, only to individual units. The manufacture of these units told us not to give them a public facing IP. We put ours behind a firewall just like all the the other equipment. The flaw is only exploitable if they can get to the web gui on them. DHS needs to add software revision on EAS units to their checklists. Not that they pay any attention to those.

Bring Back Civil Defence

[BrendaEM]

We might not be able to survive a protracted nuclear war, BUT we may have medium threats that would be more survivable if we were better prepared.