America’s Emergency Alert System Is Vulnerable to Hacker Attacks, DHS Warns

The Federal Emergency Management Agency (FEMA), a sub-compartment of the Department of Homeland Security, has issued a warning US citizens that hackers might tamper with emergency alert systems.

“We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network),” FEMA said.

The Emergency Alert System (EAS) is the nationwide system for the government to broadcast emergency alerts and warnings to the public via cable, satellite or broadcast television, as well as AM/FM and satellite radio.

The EAS is part of the Integrated Public Alert & Warning System (IPAWS), which provides authenticated emergency and life-saving information to the public through mobile phones using Wireless Emergency Alerts, to radio and television via the Emergency Alert System, and on the National Oceanic and Atmospheric Administration's Weather Radio.

The system is primarily designed to allow the president of the United States to address the country on all available channels in case of a national emergency. Despite this, neither the system nor its predecessors have ever been used in this manner. At most, the system is used at a regional scale to inform citizens of imminent threats to public safety, like severe weather and other local emergencies.

Security researcher Ken Pyle has produced a successful exploit of the flaws found in current EAS systems, “and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14,” according to the security bulletin.

“In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks,” FEMA said.

Citizens can’t do much about it except stay vigilant in case a bogus alert hits their phones. EAS participants, however, can take measures to address potential wrongdoing. In that respect, FEMA strongly encourages EAS participants to ensure that:

• EAS devices and supporting systems are up to date with the most recent software versions and security patches;
• EAS devices are protected by a firewall;
• EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.

For more information about this issue, citizens are encouraged to reach out to the IPAWS Office at fema-ipaws-stakeholder-engagement@fema.dhs.gov.