(CNN) — Vulnerabilities in software that TV and radio networks around the country use to transmit emergency alerts could allow a hacker to broadcast fake messages over the alert system, a Federal Emergency Management Agency official tells CNN.
A cybersecurity researcher provided FEMA with “compelling evidence to suggest certain unpatched and unsecured EAS [Emergency Alert System] devices are indeed vulnerable,” said Mark Lucero, the chief engineer for Integrated Public Alert & Warning System, the national system that state and local officials use to send urgent alerts about natural disasters or child abductions.
The agency this week urged operators of the devices to update their software to address the issue, saying that the false alerts could in theory be issued over TV, radio and cable networks. The advisory did not say that alerts sent over text messages were affected. There is no evidence that malicious hackers have exploited the vulnerabilities, Lucero said.
It’s unclear how many emergency alert system devices are running the vulnerable software. FEMA referred a request for an estimate of that figure to the FCC, which did not immediately respond to a request for comment.
Ken Pyle, the cybersecurity researcher who discovered the issue, told CNN that he acquired several of the EAS devices independently and found poor security controls. He shared an example of a fake alert he crafted, but did not send, that declared a “civil emergency” for certain counties and areas in the US.
TV and radio networks own and operate the equipment and transmit the emergency alerts but they are drafted by local authorities.
Digital Alert Systems, Inc., the New York-based firm that makes the emergency-alert software, said that Pyle first reported the vulnerabilities to the firm in 2019, at which time the firm issued updated software to address the issue.
However, Pyle told CNN that subsequent versions of the Digital Alert Systems software were still susceptible to some of the security issues he discovered.
“We take all security reports very seriously,” Ed Czarnecki, Digital Alert Systems’ vice president of global and government affairs, told CNN. He added that the firm will examine future software releases for any issues reported by Pyle.
“The vast majority of our users have been very good at keeping up with software updates,” Czarnecki said, adding that users can further mitigate the issue by ensuring the device is protected by a firewall.
Seeing the breakdown of law enforcement communications in the days before the January 6, 2021, attack on the US Capitol motivated Pyle to dig further into the security of those types of communications, he said.
“It’s a big critical infrastructure problem everyone needs to own,” said Pyle, who is a partner at security firm CYBIR. He will demonstrate his research next week in Las Vegas at DEF CON, one of the world’s biggest hacking conferences.
The misuse of emergency alerts can create panic.
In 2018, an employee of a Hawaii Emergency Management Agency was supposed to test the alert system but instead sent actual text messages to the cellphones of Hawaiian residents and tourists about a supposed incoming ballistic missile that told them to “SEEK IMMEDIATE SHELTER.”