Teenagers using their phones looking stressed over Emergency Alert Systems with vulnerable software

Chief Engineer: FEMA Emergency Alert Systems at Risk of Hacking Due to Vulnerable Software

The Federal Emergency Management Agency (FEMA)’s chief engineer for the Integrated Public Alert & Warning System is issuing a public call for improved cybersecurity, warning that vulnerable software used in the Emergency Alert Systems has created an opening for hackers.

An attacker could use this vulnerability to issue fake alerts via the Emergency Alert Systems. The vulnerable software is in the possession of television and radio stations throughout the country, who are being called upon to download a software update and ensure that firewalls protecting the systems are in good working order.

FEMA Emergency Alert Systems could be compromised via exploitable security controls

While not a case of a security breach or any kind of hacking of the Emergency Alert Systems, a 2018 incident that took place in Hawaii demonstrates the kind of chaos a fake alert could cause. In early January of that year, residents of the state received an emergency alert stating that a ballistic missile was inbound to the islands and that this was “not a drill.” This caused at least 10 minutes of general panic until state officials followed up by confirming that this was, in fact, a drill that had made it out to the general public by mistake.

FEMA chief engineer Mark Lucero told CNN reporters that a cybersecurity researcher had discovered vulnerable software in the Emergency Alert Systems maintained by television and radio stations. This particular issue does not appear to impact the text messaging systems, and Lucero said that there is no indication that threat actors have exploited the vulnerable software as of yet.

Security researcher Ken Pyle reportedly discovered the vulnerable software, and was contacted by CNN reporters who were shown a proof-of-concept involving a fake “civil emergency” alert that could have been sent all over the country. Pyle plans to publicly demonstrate the vulnerability at the upcoming DEFCON 2022 conference in Las Vegas.

The Emergency Alert Systems are managed by state officials, who draft the messages that are sent, but they are in possession of TV and radio stations. The vulnerable software is made by Digital Alert Systems, Inc. and can reportedly be fixed with a software update. The company that makes the software said that it has been in communication with Pyle since 2019 and has gradually been patching out vulnerabilities in its systems, and that it is important for the latest software patches to be installed as soon as possible. The firm also said that it will continue to work with security researchers to identify potential vulnerabilities going forward.

Vulnerable software allows for system takeover, presents a national security threat

Pyle said that the ability to exploit unpatched Emergency Alert Systems goes beyond being able to launch fake messages without proper authentication. Attackers can essentially take over a system, locking out legitimate users so that follow-up clarification messages cannot be issued. Pyle also said that he could exploit the web server via the vulnerable software, potentially using the opening to move farther into TV and radio station internal networks.

This is not the first time the Emergency Alert Systems have experienced a vulnerability of this severity; a similar issue had to be patched out of vulnerable software in June 2013, something that was also fortunately detected and remediated before it could be exploited by threat actors.

Maintaining public faith in the Emergency Alert Systems is more critical than ever as the country faces an unprecedented assortment of potential emergencies: more public outbreaks of transmissible viruses, flirtations of war with both Russia and China over their aggressive moves toward US-allied neighbors, extreme weather events and critical infrastructure issues (both due to accidental failure and cyber attack), just to name a few of the major possibilities. While one “false alarm” in isolation may not sour the public on the system, a string of them can create a “boy who cried wolf” attitude toward the system. Hawaii experienced something of this phenomenon in the wake of the 2018 false missile attack incident; emergency early warning sirens were mistakenly set off during police training on the island of Oahu in September of 2019, causing fear and confusion locally until officials followed up with clarification. Too many accidents of this nature could lead residents to assume that any event they hear about is just another accident.

While the vulnerable software can be fixed with a patch, FEMA also advises hosts to protect the Emergency Alert Systems at all times with a firewall and to regularly monitor and audit them for potential unauthorized access.

Ability to exploit unpatched #EmergencyAlertSystem goes beyond being able to launch fake messages without proper authentication. Attackers can essentially take over a system, locking out legitimate users. #cybersecurity #respectdataClick to Tweet

Erich Kron, security awareness advocate at KnowBe4, notes that hackers will be highly interested in these vulnerabilities for the potential financial damage they can cause: “When the Associated Press had their Twitter account taken over and it sent a tweet about an event in the White House, the stock market fell sharply … Even false alerts such as these have real world impact, and at the very least dissolve public faith in these critical systems. Organizations that manage these systems should include regular patching as an important part of the operation of these systems. While patching has been known to cause problems in IT systems, a mature and well-designed patch management program can ensure that any problems caused can be easily rolled back and the system kept online until a mitigation to the problem is found. It is simply too important for these systems to be working and secure, to not keep them up to date with security patches.”

 

Senior Correspondent at CPO Magazine