(CNN) — Vulnerabilities in software that TV and radio networks across the country use to send emergency alerts could allow a hacker to broadcast fake messages through the alert system, a Federal Emergency Management Agency official told CNN.
A cybersecurity researcher provided FEMA with “convincing evidence to suggest certain unpatched and unsecured EAS” [Emergency Alert System] devices are indeed vulnerable,” said Mark Lucero, chief engineer for Integrated Public Alert & Warning System, the national system state and local officials use to send urgent alerts about natural disasters or child abductions.
The agency this week urged operators of the devices to update their software to address the issue, saying the false alerts could theoretically be delivered through TV, radio and cable networks. The advisory did not say that alerts sent via text messages were affected. There is no evidence that malicious hackers exploited the vulnerabilities, Lucero said.
It’s unclear how many emergency alert devices the vulnerable software is running on. FEMA referred a request for an estimate of that figure to the FCC, which did not immediately respond to a request for comment.
Ken Pyle, the cybersecurity researcher who discovered the problem, told CNN that he purchased several EAS devices independently and found poor security controls. He shared an example of a fake alert he made, but didn’t send, declaring a “civil emergency” for certain counties and territories in the US.
Television and radio networks own and operate the equipment and broadcast the emergency alerts, but they are established by the local authorities.
Digital Alert Systems, Inc., the New York-based company that makes the emergency alert software, said Pyle first reported the vulnerabilities to the company in 2019, when the company released updated software to address the issue.
However, Pyle told CNN that later versions of the Digital Alert Systems software were still susceptible to some of the security vulnerabilities he discovered.
“We take all security reports very seriously,” Ed Czarnecki, vice president of Global and Government Affairs at Digital Alert Systems, told CNN. He added that the company will examine future software releases for issues reported by Pyle.
“The vast majority of our users are very good at keeping up with software updates,” Czarnecki said, adding that users can further mitigate the problem by ensuring the device is protected by a firewall.
Seeing that law enforcement communications go down in the days leading up to Jan. 6, 2021, the attack on the U.S. Capitol motivated Pyle to dig further into the security of that kind of communications, he said.
“It’s a major critical infrastructure problem that everyone should own,” said Pyle, a partner at security firm CYBIR. He will demonstrate his research next week in Las Vegas at DEF CON, one of the world’s largest hacking conferences.
The misuse of emergency alerts can cause panic.
In 2018, a Hawaii Emergency Management Agency employee was supposed to test the alert system, but instead sent actual text messages to the cell phones of Hawaiian residents and tourists about an alleged incoming ballistic missile telling them to “LOOK FOR HOME IMMEDIATELY.”
™ & © 2022 Cable News Network, Inc., a WarnerMedia company. All rights reserved.