FEMA this month issued a public alert about “certain vulnerabilities” in EAS encoder/decoder devices. Since then, the notice has spurred questions within the broadcast community about who these vulnerabilities affect and what steps are being taken to mitigate safety concerns.
It turns out that those vulnerabilities were discovered in 2019 and have since been addressed with multiple software updates by the manufacturer involved. However, protection only works if a broadcaster has kept up with those updates.
Ed Czarnecki is vice president of global and government affairs for Digital Alert Systems Inc. (DAS), a manufacturer of Emergency Alert Systems and related products. Czarnecki said he is concerned about the “generic nature” of the recent FEMA bulletin. He said DAS was alerted to these vulnerabilities more than three years ago.
He said Ken Pyle, a security researcher at CYBIR.com, contacted DAS in 2019 about its EAS DASDEC products being at risk of Cross Site Scripting (XSS). Following responsible disclosure procedures, Czarnecki said, Pyle provided ample time for the company to provide a software update for the issue before publicizing it, allowing users the opportunity to implement the update, which was provided as version 4.1 in October 2019.
FEMA’s recent advisory cautioned that Pyle’s discovery was expected to be discussed at this week’s DEFCON conference in Las Vegas, potentially drawing more attention to it.
XSS is a web application vulnerability that permits an attacker to inject code (typically HTML or JavaScript) into the contents of an outside website. The code then launches as an infected script in the user’s web browser, enabling the attacker to steal sensitive information or impersonate the user.
In this scenario, Czarnecki said if a user had left their EAS product interface/browser open — where the product is open to the public internet — the interface could be susceptible to a XSS attack. ”The vulnerability that was identified presents a potentially serious risk. Users should look to update to the latest version of software. If someone is using anything lower than version 4.1, they need to update to the latest version immediately. While using a firewall does provide protections, software updates should always be kept current.”
The good news is that the vulnerability is only a concern to users who haven’t updated their EAS software over the past three years. Czarnecki said DAS has updated its software more than five times since Pyle reached out.
“We hope that FEMA understood [when Pyle presented the information to them] that the vulnerability relates to software versions that are fully deprecated,” said Czarnecki. “They’ve passed end of life and end of support back in 2019.”
It was only DAS’ software prior to version 4.1 that was affected. Now, the manufacturer is about to release version 5.0.
[Related: “FEMA Alerts Broadcasters to Vulnerabilities in EAS Devices“]
Again, though, the number of software updates is irrelevant if broadcasters and other EAS participants do not keep the most up-to-date version of the service or keep their product behind a firewall.
Czarnecki said the company is aware of a “relatively small” percentage of DAS EAS users that have still not updated their software, with some also leaving their equipment on the open internet.
“That’s one of the core issues here, that the mitigation was issued almost three years ago and, while we’ve been reaching out to our customer base, it is their responsibility to be as up-to-date as possible with the software that any EAS vendor releases.”
Some users haven’t even registered their products with DAS, meaning they can’t be contacted to be advised of best practices nor does DAS have information regarding what kind of user they are — whether it be a broadcaster, lab, etc.
While it may seem common practice to keep such important software current, Czarnecki said he knows of one case where a user has not updated their software in 10 years. “Of the thousands of units we’ve deployed globally, there’s a small handful of devices that are both running obsolete software and are left on the open Internet, which could be present a threat. But even if it’s a single station, that’s too many.”
In a subsequent email to an EAS listserv maintained by the Society of Broadcast Engineers, Czarnecki wrote: “We thank the FCC and FEMA for being proactive and issuing reminders about updating software, using protective firewalls, and other security best practices. We also credit the security researcher for bringing this to our attention originally, and exercising responsible disclosure to date.”
On Friday, the FCC Public Safety and Homeland Security Bureau issued an advisory reinforcing the message from FEMA.
