"FCC's Proposal to Strengthen Emergency Alert Security Might Not Go Far Enough"

The US Federal Communications Commission (FCC) issued a Notice of Proposed Rulemaking (NPRM) in October to bolster the security of the nation's Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA). These systems alert the public about emergencies via AM, FM, and satellite radio, as well as through broadcast, cable, and satellite TV on their televisions, radios, and wireless phones. Although EAS participants are required to broadcast presidential alerts, they do so voluntarily for state and local EAS alerts. The NPRM proposes that broadcasters and cable companies must report incidents of unauthorized access to their EAS equipment to the FCC within 72 hours. It also proposes requiring wireless providers that deliver emergency alerts to certify on an annual basis that they have a cybersecurity risk management plan in place and have implemented adequate security measures for their alerting systems. Furthermore, it proposes that wireless providers transmit adequate authentication information to ensure that consumer devices only display valid alerts. Malicious actors exploiting vulnerabilities in the nation's EAS have been a source of concern for years, and it is not entirely theoretical. The FCC describes incidents that have raised concern about what might happen if an attacker breached one or more emergency alert providers. The most well-known of these incidents was the 2018 "zombie attack" warning that was broadcasted over multiple Midwest television stations, a prank made possible by the stations' failure to change the default passwords on their EAS equipment. Ken Pyle, a security researcher at CYBIR, released some research, prompting the commission to issue this latest NPRM. Pyle discovered a flaw in an EAS encoder and decoder, specifically the Monroe Electronics R189 One-Net DASDEC EAS device, which is widely used by EAS providers. The flaw could allow attackers to gain access to credentials, devices, and servers, enabling them to send false messages and lock out legitimate users, effectively disabling all responses. This article continues to discuss the FCC's proposal to strengthen emergency alert security and the need for next-generation technology to take EAS security to the next level. 

CSO Online reports "FCC's Proposal to Strengthen Emergency Alert Security Might Not Go Far Enough"