A cybersecurity researcher provided FEMA with “substantial evidence suggesting some unpatched and insecure EAS [Emergency Alert System] The devices are indeed vulnerable,” said Mark Lucero, the lead engineer for the Integrated Public Alert & Warning System, the national system that state and local officials use to send emergency alerts about natural disasters or child abductions.
The agency this week urged device operators to update their software to address the problem, saying the false alerts could theoretically be issued over television, radio and cable networks. The advisory did not indicate that notifications sent via text messages were affected. There is no evidence that malicious hackers have exploited the vulnerabilities, Lucero said.
It is unclear how many emergency notification system devices are running the vulnerable software. FEMA referred a request for an estimate of that number to the FCC, which did not immediately respond to a request for comment.
Ken Pyle, the cybersecurity researcher who discovered the issue, told CNN that he obtained many of the EAS devices independently and found insufficient security testing. He shared an example of a fake alert he built, but didn’t send, that declared a “political emergency” for certain counties and territories in the US.
Television and radio networks own and operate the equipment and broadcast emergency alerts, but are compiled by local authorities.
Digital Alert Systems, Inc., the New York-based company that makes the emergency alert software, said Pyle first reported the vulnerabilities to the company in 2019, at which point the company issued updated software to address the issue .
However, Pyle told CNN that subsequent versions of the Digital Alert Systems software were still susceptible to some of the security issues he discovered.
“We take all security reports very seriously,” Ed Czarnecki, vice president of global and government affairs for Digital Alert Systems, told CNN. He added that the company will review future software releases for any issues reported by Pyle.
“The vast majority of our users have been very good about keeping up with software updates,” Czarnecki said, adding that users can further mitigate the problem by ensuring the device is protected by a firewall.
Seeing the collapse of law enforcement communications in the days leading up to the Jan. 6, 2021, attack on the U.S. Capitol prompted Pyle to further investigate the security of those types of communications, he said.