November 9, 2024

The U.S. Department of Homeland Security (DHS) has warned of critical security vulnerabilities in Emergency Alert System (EAS) encoder/decoder devices.

If left unpatched, the issues could allow an adversary to issue fraudulent emergency alerts over TV, radio, and cable networks.

The August 1 advisory comes courtesy of DHS’ Federal Emergency Management Agency (FEMA). CYBIR security researcher Ken Pyle has been credited with discovering the shortcoming.

EAS is a U.S. national public warning system that enables state authorities to disseminate information within 10 minutes during an emergency. Such alerts can interrupt radio and television to broadcast emergency alert information.

Details of the flaw have been kept under wraps to prevent active exploitation by malicious actors, although it’s expected to be publicized as a proof-of-concept at the DEF CON conference to be held in Las Vegas next week.

“In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks,” the agency said in the bulletin.

To mitigate the vulnerability, relevant participants are recommended to update the EAS devices to the latest software versions, secure them with a firewall, and monitor and audit review logs for signs of unauthorized access.