FEMA recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).
This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.
In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks.
FEMA strongly encourages EAS participants to ensure that:
- EAS devices and supporting systems are up to date with the most recent software versions and security patches;
- EAS devices are protected by a firewall;
- EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.
FEMA values its partnership with broadcasters and appreciates efforts to maintain public trust and confidence in the Emergency Alert System.
Contact the IPAWS Office at firstname.lastname@example.org