"DHS Warns of Critical Flaws in Emergency Alert System Devices"
The US Department of Homeland Security (DHS) issued a warning that attackers could use critical security flaws in unpatched Emergency Alert System (EAS) encoder/decoder devices to send fake emergency alerts over TV and radio networks. In the event of a national or local emergency, such as weather updates, impending threats, or AMBER alerts, the president or state and local authorities may broadcast vital information through the EAS when no other means of alerting the public are available. The warning was released by DHS' Federal Emergency Management Agency (FEMA) as an advisory via the Integrated Public Alert and Warning System (IPAWS). FEMA encourages all EAS system participants to adequately mitigate this flaw by ensuring that their EAS devices are up to date with the most recent software versions and security patches, are protected by a firewall, are monitored, and audit logs are reviewed on a regular basis for unauthorized access. According to Ken Pyle, the Cybir researcher who discovered this critical issue in the Monroe Electronics R189 One-Net DASDEC EAS device, multiple vulnerabilities and issues confirmed by other researchers have gone unpatched for several years, resulting in a massive flaw. When asked what he could do after successful exploitation, Pyle stated that he could easily obtain access to the credentials, certificates, and devices as well as exploit the web server, send fake alerts via crafted messages, and more. He can also prevent legitimate users from responding by neutralizing or disabling them. Almost a decade ago, Monroe Electronics, now known as Digital Alert Systems, patched a critical vulnerability affecting the same EAS device. If left unpatched, remote attackers can exploit it to get root access and spoof alerts via an SSH session by using a shared private root SSH key exposed in publicly available firmware images. This article continues to discuss DHS' warning of critical security vulnerabilities in unpatched EAS encoder/decoder devices.
Bleeping Computer reports "DHS Warns of Critical Flaws in Emergency Alert System Devices"