MacDirectory magazine is the premiere creative lifestyle magazine for Apple enthusiasts featuring interviews, in-depth tech reviews, Apple news, insights, latest Apple patents, apps, market analysis, entertainment and more.
Issue link: https://digital.macdirectory.com/i/1481697
EAS pwn? By SecureMac.com The Emergency Alert System (EAS) is a national public warning system in the United States. It can be used by the federal government or local authorities to share information with the public in an emergency. Bleeping Computer explains how the system works: EAS alerts are delivered via IPAWS [Integrated Public Alert and Warning System] through multiple communication channels simultaneously, including AM, FM, and satellite radio, as well as broadcast, cable, and satellite TV, to reach as many people as possible. They can also interrupt radio and television programming to broadcast emergency alert information and can be delivered as text messages with or without audio attachments. If you’ve ever heard the screeching electronic tones that precede an EAS alert, you know that it’s almost impossible to ignore. (If you haven’t heard the sound before, and for some strange reason you want to, here’s the Wikipedia .ogg file). The EAS is, obviously, pretty important in an emergency. And that’s why an August bulletin put out by the Federal Emergency Management Agency (FEMA) is so alarming. According to FEMA, there are: …certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network). Translation? Bad guys could hack a vulnerable device and use it to send out fake alerts to an unsuspecting public. Weaponizing the EAS The vulnerability of a particular EAS unit — the Monroe Electronics R189 One-Net DASDEC EAS device — was demonstrated by security researcher Ken Pyle last week. Pyle told the media that a bad actor could exploit the vulnerability to hijack the EAS system, interrupt a public broadcast, and send out a fraudulent alert message. That message might contain instructions to go to a malicious website — or it could simply be a way to cause panic. FEMA has advised all broadcast outlets with a vulnerable EAS device to update their unit’s software in order to receive the security patch. They also recommend that anyone using an EAS unit protect it with firewalls and regular security log audits. As for the rest of us (i.e., people who don’t work at a radio or TV station), the best advice is to double-check EAS broadcasts to confirm their validity. For example, if you see an emergency alert on your TV, confirm it by tuning your radio dial to your local NPR station. If a bad actor somehow managed to compromise a TV station’s EAS unit, it’s highly unlikely that they would also have hacked the one at the radio station. The fact that you’re hearing the alert in both places means that it’s most likely real.