The Federal Emergency Management Agency (FEMA) has issued a notice to local broadcasters warning of a security issue that could allow a hacker to transmit fake emergency alert notifications through their systems.
The exploit involves the Emergency Alert System (EAS), which allows local television and radio stations and certain subscription systems like cable television and satellite radio to transmit local, state and federal emergency notifications to viewers and listeners.
The bulletin came after security researcher Ken Pyle obtained EAS decoders and tested the exploit for himself. FEMA said Pyle might demonstrate his techniques at an upcoming security conference in Las Vegas scheduled for later this month.
Pyle told cable news channel CNN that the EAS devices he obtained were not adequately secure and that he believed he could send a fake emergency notification to the devices warning of a civil emergency in several local communities.
The security researcher reported his findings three years ago to Digital Alert Systems, a New York-based company that makes EAS receivers and decoders for broadcasters and cable systems. The company reportedly issued a software fix for EAS decoders that were on the market, but that fix did not correct all the issues identified by Pyle, and some newer decoders that are in use at broadcast stations and cable systems may not have updated software.
Pyle did not disclose his specific findings to CNN, but a source familiar with the matter said one such exploit involves activation tones that are sent to a carrier station tasked with receiving EAS messages in a given broadcast market. In some markets, the assigned carrier is an AM radio station; in other markets, a local television station agrees to be the carrier of EAS messages.
Carrier stations receive EAS alert messages from a number of sources, including FEMA, the National Weather Service and state and local emergency offices. An activation tone is sent from the public agency to the carrier station, who then receives the message and transmits it to other EAS-participating broadcasters.
Local radio and television stations are not required to accept local or state EAS messages, but they are required to transmit national messages from the President during a crisis, so many participate in the EAS system to fulfill that requirement. Cable and satellite services, including satellite radio company SiriusXM, are governed by the same requirement, which is overseen by the Federal Communications Commission (FCC).
Participating EAS stations and distributors listen for activation tones sent from a carrier broadcast station, then allow that station to temporarily take control of part or all of their transmission. Local television stations and cable operators usually allow a carrier station to transmit an audio message along with text that is “crawled” on a screen, while video programming continues in the background. Radio stations usually allow the audio portion of an EAS message to completely interrupt whatever they are broadcasting at the moment.
While there is no proof that anyone has used Pyle’s exploits in the wild, there have been times when carrier stations have accidentally triggered EAS notifications. In California, local radio station KFBK (1530 AM, 93.1 FM) accidentally sent an activation tone during an EAS test that forced a portion of “the Tom Sullivan Show” to air on local television stations. The issue was corrected within a minute.
In 2015, the FCC fined radio broadcaster iHeart Media $1 million after a morning show host named Bobby Bones used EAS warning tones in a skit four years earlier. The incident resulted in “a multi-state cascade of false EAS alerts,” the FCC said, as reported by The Desk. It also triggered an investigation by FEMA and the White House, according to documents reviewed by The Desk.
Four years after the iHeart Media issue, the FCC hit ABC Studios with a $395,000 citation after the show aired a skit that used EAS tones as part of a fake presidential address. Separately, the FCC fined AMC Networks for a broadcast of “The Walking Dead” that used EAS tones, and Discovery Communications paid $68,000 over the use of EAS tones in an Animal Planet show.
The security issues currently plaguing EAS decoders are clearly more serious than any radio or television program that uses activation tones, and FEMA is warning broadcasters to ensure their EAS equipment contains the latest software, security patches and upgrades.
In a public notice issued earlier this month, FEMA is urging local broadcasters and cable distributors to monitor and audit EAS access logs to ensure that no one gains unauthorized access to their systems.
“The vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks,” FEMA said.