The entire population of the United States relies on the Federal Emergency Management Agency (FEMA)’s Emergency Alert Systems for its first warning of natural disasters and threats to public safety. One of the system’s chief engineers is now warning that vulnerable software is broadly present, and it has the sorts of openings that attackers might exploit to issue messages and even gain full control of these systems.
Radio, TV stations sitting on vulnerable software
While the Emergency Alert Systems are under the purview of the federal government, and the crafting of emergency messages is up to state authorities, most of the actual software is in the hands of the radio and television stations that actually issue the alerts. It is up to these stations to keep software up to date, but the unfortunate reality is that many appear to be sitting on vulnerable software.
The simplest thing for attackers to do would be to use the Emergency Alert Systems to issue fake messages, interrupting television and radio broadcasts. But the vulnerable software allows attackers to go even farther than this. Legitimate accounts could be locked out for extended periods of time, preventing any quick response other than entirely taking stations off the air. Systems that are not segmented from the internet could also be used as an opening into station internal networks.
There has yet to be a major exploitation of the Emergency Alert Systems, but vulnerable software has needed to be patched before to avoid creating holes for attackers to walk through. The stakes are high given that a pattern of false alarms could cause the public to lose faith in and tune out the system, something that could be disastrous in an actual emergency.
Patching is needed to update the Emergency Alert Systems to remove current vulnerabilities, but FEMA is also asking stations to use a firewall and logging to add extra layers of protection.
Security controls for Emergency Alert Systems require updating, added protections
A variety of chaos could be caused simply by issuing fake messages via the Emergency Alert Systems, including convincing leaders that an attack is underway or causing stampedes and hoarding with the announcement of a natural disaster. These security issues do not appear to impact the emergency text messaging system, however; the vulnerable software is limited to radio and TV announcements.
A proof of concept of an attack on the Emergency Alert Systems was recently presented at the DEFCON 2022 conference by security researcher Ken Pyle, who had previously demonstrated to CNN reporters the ability to send out fake alerts all over the country by exploiting the vulnerable software. Impacted systems are manufactured by Digital Alert Systems, Inc. and a software update that addresses all the current issues is available for download, but that IT staff at each location must initiate it. Digital Alert Systems said that it had an ongoing relationship with FEMA and security researchers and continues to work to identify vulnerabilities in its software.