Emergency Alert System Security Flaws Leave Us Vulnerable To Faked Broadcasts Warns FEMA
The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of exploited vulnerabilities and releases notices urging organizations, particularly government agencies and contractors, to patch said vulnerabilities. However, CISA isn’t the only one looking out for US infrastructure. Ken Pyle, an independent cybersecurity researcher, is raising alarms about a set of vulnerabilities in the country’s emergency alert infrastructure.
Back in 2019, Pyle found a set of vulnerabilities in the software used by TV and radio networks to transmit emergency alerts. A threat actor could exploit these vulnerabilities to broadcast fake messages over TV, radio, and cable networks using the Integrated Public Alert & Warning System intended for broadcasting natural disaster and child abduction alerts. After discovering these vulnerabilities, cybersecurity researcher promptly notified the company that develops the emergency alert software, Digital Alert Systems Inc. The company then released patches intended to fix the vulnerabilities.
However, now three years later, Pyle says that these same vulnerabilities persist in versions of the software released since the patches were first published. While government authorities issue emergency alerts, the equipment that broadcasts these alerts is owned and operated by TV and radio networks. Pyle was able to get his hands on some of this equipment to test for security vulnerabilities. He managed to prepare a fake alert within the software that declared a “civil emergency,” though he did not send the message.
Pyle provided this evidence to the Federal Emergency Management Agency (FEMA), which is now urging owners of the emergency broadcast equipment to update the software. Ed Czarnecki, vice president of global and government affairs for Digital Alert Systems, told CNN that “The vast majority of [the company’s] users have been very good at keeping up with software updates.” According to the chief engineer of the Integrated Public Alert & Warning System, there’s no evidence that these vulnerabilities have been exploited by malicious actors, which is a relief. Hopefully the maintainers of the emergency equipment will apply the updates necessary to prevent anyone from exploiting the vulnerabilities in the future.
Back in 2019, Pyle found a set of vulnerabilities in the software used by TV and radio networks to transmit emergency alerts. A threat actor could exploit these vulnerabilities to broadcast fake messages over TV, radio, and cable networks using the Integrated Public Alert & Warning System intended for broadcasting natural disaster and child abduction alerts. After discovering these vulnerabilities, cybersecurity researcher promptly notified the company that develops the emergency alert software, Digital Alert Systems Inc. The company then released patches intended to fix the vulnerabilities.
However, now three years later, Pyle says that these same vulnerabilities persist in versions of the software released since the patches were first published. While government authorities issue emergency alerts, the equipment that broadcasts these alerts is owned and operated by TV and radio networks. Pyle was able to get his hands on some of this equipment to test for security vulnerabilities. He managed to prepare a fake alert within the software that declared a “civil emergency,” though he did not send the message.
Pyle provided this evidence to the Federal Emergency Management Agency (FEMA), which is now urging owners of the emergency broadcast equipment to update the software. Ed Czarnecki, vice president of global and government affairs for Digital Alert Systems, told CNN that “The vast majority of [the company’s] users have been very good at keeping up with software updates.” According to the chief engineer of the Integrated Public Alert & Warning System, there’s no evidence that these vulnerabilities have been exploited by malicious actors, which is a relief. Hopefully the maintainers of the emergency equipment will apply the updates necessary to prevent anyone from exploiting the vulnerabilities in the future.
