FCC, FEMA Raise Alarm Bells About Vulnerabilities in Emergency Alert System

TIMOTHY A. CLARY/AFP via Getty Images

Both agencies warned that software and equipment vulnerabilities could allow hackers to transmit fake emergency messages or disrupt real ones. 

Emergency messages sent via the Emergency Alert System over TV, radio and cable networks could be exploited because of technological vulnerabilities, the Federal Emergency Management Agency and the Federal Communications Commission warned Friday.

The FCC’s Public Safety and Homeland Security Bureau issued a public notice encouraging EAS communications providers to take measures to mitigate the hacking of their equipment.

Specifically, the FCC urged providers to secure their equipment against risks affecting “devices that are publicly accessible from the Internet” because of the potential for IP-based attacks. 

The FCC’s warning comes after FEMA delivered an advisory earlier this month about a potential vulnerability in some EAS encoder/decoder devices that did not have up-to-date software. According to FEMA, if EAS devices are not up-to-date, “ it could allow an actor to issue EAS alerts over the host infrastructure.”

The vulnerability was discovered by security researcher Ken Pyle. FEMA noted that the vulnerability is public knowledge and may be demonstrated to a large group at the DEFCON 2022 conference later this week. 

Federal law requires EAS participants to make sure their EAS equipment’s monitoring and transmitting functions are available anytime the stations and systems are operating. Furthermore, failure to receive or transmit an EAS message because of equipment issues could cause an EAS participant to face enforcement.

Public Safety and Homeland Security Bureau Chief Lisa M. Fowlkes previously sent an email to EAS participants about this vulnerability and recommended addressing it by installing security patches and using firewalls.  In the public notice, the bureau encouraged all EAS participants to upgrade their equipment, software and firmware to the most up-to-date versions recommended by manufacturers and to promptly secure equipment behind a properly configured firewall.

As good practice, the Bureau also suggested EAS participants take the following measures: install manufacturer software security patches as soon as they are available; change default passwords; continuously monitor equipment and software in addition to examining audit logs and report incidents for unauthorized access; and review data security best practices.