Researcher: National Emergency Alert System is Easy To Exploit
© AP Photo / Pablo Martinez MonsivaisThe Homeland Security logo is seen during a joint news conference in Washington, Feb. 25, 2015
© AP Photo / Pablo Martinez Monsivais
The Emergency Alert System is most commonly used to issue Amber alerts and severe weather warnings. It is also used to warn of military attacks, nuclear power plant failures, or send virtually any other message.
The Department of Homeland Security is telling state and local governments to update software and beef up security around devices connected to the nationwide Emergency Alert System (EAS). The recommendation comes days after security researcher Ken Pyle revealed vulnerabilities in devices used by officials to encode EAS alerts.
Pyle told KerbsOnSecurity that he first discovered the vulnerabilities in 2019 after buying old EAS equipment on eBay. He quickly found the vulnerabilities and alerted the FBI, DHS, and the manufacturer of the devices. Pyle decided to give the manufacturer and government time to address the issue before going public.
He started to worry after the Jan 6, 2021 riot at the US Capitol, fearing that the vulnerabilities could be used “to start a civil war.”
That is because despite a patch being issued in 2019, many of the devices have not been updated either because they are too old for the new firmware or because of simple neglect by the operators. Pyle also says that many operators do not perform basic security measures recommended by the manufacturer, like changing the default password and putting the devices behind a firewall.
This is a problem because of the way EAS messages are distributed. There is no central authority and the process is automated in most cases. This means that someone could issue an alert locally and as long as it is accepted as a real EAS alert, it could spread nationwide.
“These devices are designed such that someone locally can issue an alert, but there’s no central control over whether I am the one person who can send or whatever,” Pyle told KerbsOnSecurity. “If you are a local operator, you can send out nationwide alerts. That’s how easy it is to do this.”
One device obtained by Pyle was a non-functional EAS device, purchased from an electronics recycling company. While the device no longer operated, the person who discarded it and the recycling company neglected to wipe the hard drive, giving Pyle access to cryptographic keys allowing him to broadcast messages on Comcast’s network, the third largest cable company in the US.
Comcast told KerbsOnSecurity in a statement that the EAS was lost by a third-party shipper and that the keys and credentials found on the device will no longer work on their system. They also thanked Pyle for his research and for informing them about the issue.
EAS vulnerabilities have been exploited in the past. In 2013, someone hacked the EAS networks in Great Falls, Montana, and Marquette, Michigan, using their access to issue an alert saying that zombies are rising from their graves. That same prank was repeated in Indiana in 2017. There have been other incidents, though they did not include zombies.