Incident Details

Incident: Exploitable Software Flaw in Emergency Alert System by Hackers.

Published Date: 2022-08-08

Postmortem Analysis
Timeline	1. The software failure incident of hackers exploiting a software flaw in the Emergency Alert System was reported on August 8, 2022, in Article 131024.
System	The software failure incident reported in Article 131024 involved vulnerabilities in the Monroe Electronics R189 One-Net DASDEC EAS, which is a type of emergency alert system encoder and decoder. Specifically, the following systems/components failed: 1. Monroe Electronics R189 One-Net DASDEC EAS encoder/decoder [131024]
Responsible Organization	1. Hackers exploited a software flaw in the Emergency Alert System, as reported by the U.S. Department of Homeland Security's Federal Emergency Management Agency (FEMA) [131024].
Impacted Organization	1. TV and radio stations were impacted by the software failure incident as their emergency alert system encoder and decoder, specifically the Monroe Electronics R189 One-Net DASDEC EAS, was found to have multiple vulnerabilities that could be exploited by hackers [131024].
Software Causes	1. The software causes of the failure incident were vulnerabilities in the Monroe Electronics R189 One-Net DASDEC EAS emergency alert system encoder and decoder, which had multiple unpatched vulnerabilities and issues that had not been addressed for several years, leading to a significant flaw [131024].
Non-software Causes	1. Lack of timely patching and updating of the EAS encoder/decoder devices, specifically the Monroe Electronics R189 One-Net DASDEC EAS, by EAS participants [131024]. 2. Failure to adequately monitor and review audit logs for unauthorized access to EAS devices and supporting systems [131024]. 3. Insufficient protection of EAS devices by a firewall [131024].
Impacts	1. The software failure incident allowed hackers to exploit vulnerabilities in the Emergency Alert System, potentially leading to the issuance of fake warnings over radio and TV stations [131024]. 2. The flaw in the EAS encoder/decoder devices, if not updated with the latest software versions, could enable unauthorized actors to issue EAS alerts over the host infrastructure, compromising the integrity of emergency communications [131024]. 3. The vulnerabilities in the Monroe Electronics R189 One-Net DASDEC EAS, which were not patched for several years, created a significant security flaw that could be exploited by hackers [131024]. 4. Successful exploitation of the software flaw could allow unauthorized access to credentials, certificates, devices, and the ability to send fake alerts, potentially disrupting legitimate emergency communications and responses [131024]. 5. The incident highlighted the importance of maintaining up-to-date software versions, applying security patches, protecting devices with firewalls, and monitoring systems for unauthorized access to prevent similar software failures in the future [131024].
Preventions	1. Ensuring that EAS devices and supporting systems are up to date with the most recent software versions and security patches [131024]. 2. Implementing a firewall to protect EAS devices [131024]. 3. Regularly monitoring and reviewing audit logs for unauthorized access to EAS devices and supporting systems [131024].
Fixes	1. Updating the EAS encoder/decoder devices to the most recent software versions and applying security patches [131024]. 2. Ensuring that EAS devices are protected by a firewall [131024]. 3. Monitoring and regularly reviewing audit logs for unauthorized access to EAS devices and supporting systems [131024].
References	1. U.S. Department of Homeland Security's Federal Emergency Management Agency (FEMA) [131024] 2. Ken Pyle, security researcher at CYBIR.com [131024] 3. Monroe Electronics R189 One-Net DASDEC EAS [131024] 4. Bleeping Computer [131024]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident related to the exploitation of vulnerabilities in the Emergency Alert System (EAS) encoder/decoder devices has happened before within the same organization. The vulnerabilities in the Monroe Electronics R189 One-Net DASDEC EAS, which is a type of emergency alert system encoder and decoder, were confirmed by multiple researchers and have not been patched for several years, leading to a significant flaw [131024]. (b) The software failure incident related to the exploitation of vulnerabilities in the EAS encoder/decoder devices has also happened at multiple organizations. Federal officials have warned in the past that hackers could exploit the EAS to hijack it for malicious purposes, indicating a potential threat to various organizations utilizing the EAS for emergency alerts [131024].
Phase (Design/Operation)	design, operation	(a) The software failure incident in the article is related to the design phase. The incident occurred due to vulnerabilities in the EAS encoder/decoder devices, specifically the Monroe Electronics R189 One-Net DASDEC EAS, which is a type of emergency alert system encoder and decoder. These vulnerabilities, which have not been patched for several years, allowed hackers to exploit the system and issue fake alerts over radio and TV stations [131024]. (b) The software failure incident is also related to the operation phase. The incident was exacerbated by the lack of updating EAS devices to the most recent software versions and security patches, as well as the absence of firewall protection for the EAS devices. Additionally, the vulnerabilities in the system allowed unauthorized access, enabling the hacker to exploit the web server, send fake alerts, and potentially lock legitimate users out of the system [131024].
Boundary (Internal/External)	within_system	(a) within_system: The software failure incident in this case is within the system. The vulnerability in the Emergency Alert System (EAS) encoder/decoder devices, specifically the Monroe Electronics R189 One-Net DASDEC EAS, allowed hackers to exploit the system and issue fake alerts over radio and TV stations [131024]. The vulnerabilities in the software were not patched for several years, leading to a significant flaw that could be exploited by hackers [131024]. The failure originated from within the system itself, highlighting the importance of keeping software up to date with the latest versions and security patches to prevent such incidents.
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: The software failure incident in this case was due to a software flaw in the Emergency Alert System (EAS) that allowed hackers to exploit vulnerabilities in the EAS encoder/decoder devices. The flaw, if not updated to the most recent software versions, could enable an actor to issue fake EAS alerts over radio and TV stations [131024]. (b) The software failure incident occurring due to human actions: The vulnerabilities in the EAS encoder/decoder devices, which led to the software failure incident, were confirmed by security researcher Ken Pyle and other researchers. These vulnerabilities had not been patched for several years, indicating a lack of timely human intervention in addressing and fixing the software issues [131024].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident occurring due to hardware: - The software flaw in the Emergency Alert System was due to vulnerabilities in the EAS encoder/decoder devices, specifically the Monroe Electronics R189 One-Net DASDEC EAS, which is a type of emergency alert system encoder and decoder [131024]. - The vulnerabilities in the hardware devices had not been patched for several years, leading to a significant flaw that could be exploited by hackers [131024]. (b) The software failure incident occurring due to software: - The software flaw in the Emergency Alert System was a result of vulnerabilities in the software versions of the EAS encoder/decoder devices [131024]. - The lack of software updates and security patches for the EAS devices contributed to the exploit that allowed hackers to issue fake alerts over radio and TV stations [131024].
Objective (Malicious/Non-malicious)	malicious	(a) The objective of the software failure incident was malicious, as hackers exploited a software flaw in the Emergency Alert System to issue fake warnings over radio and TV stations. The U.S. Department of Homeland Security warned that if the EAS encoder/decoder devices were not updated to the most recent software versions, actors could issue EAS alerts over the host infrastructure [131024]. The security researcher, Ken Pyle, successfully demonstrated this exploit and mentioned being able to obtain access to credentials, exploit the web server, send fake alerts, and lock legitimate users out, among other malicious actions [131024]. (b) The software failure incident was non-malicious in the sense that the vulnerabilities in the Monroe Electronics R189 One-Net DASDEC EAS, which is a type of emergency alert system encoder and decoder, had not been patched for several years, leading to a huge flaw. The lack of patching and addressing these vulnerabilities over time contributed to the software failure incident, indicating a non-malicious oversight or neglect in maintaining the software [131024].
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident related to poor_decisions: - The software failure incident in this case was due to poor decisions related to the lack of updating EAS encoder/decoder devices to the most recent software versions, leaving vulnerabilities that could be exploited by hackers [131024]. - The vulnerabilities in the Monroe Electronics R189 One-Net DASDEC EAS, which is a type of emergency alert system encoder and decoder, had not been patched for several years, leading to a significant flaw that could be exploited [131024]. (b) The intent of the software failure incident related to accidental_decisions: - There is no specific mention in the articles about the software failure incident being related to accidental decisions.
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident in this case can be attributed to development incompetence. The incident involved a software flaw in the Emergency Alert System (EAS) that allowed hackers to exploit vulnerabilities in the EAS encoder/decoder devices. The vulnerabilities were not patched for several years, indicating a lack of proper software maintenance and updates by the development organization. The security researcher who demonstrated the exploit highlighted that multiple vulnerabilities and issues in the system had not been addressed, leading to a significant flaw [131024]. (b) Additionally, the incident can also be categorized as accidental, as the vulnerabilities in the Monroe Electronics R189 One-Net DASDEC EAS were not intentionally introduced but rather existed due to a lack of proper attention to security and software maintenance over the years. The researcher mentioned that the vulnerabilities had not been patched for several years, indicating an accidental oversight that snowballed into a significant flaw [131024].
Duration	temporary	(a) The software failure incident described in the articles is more likely to be temporary rather than permanent. This is evident from the fact that the failure was caused by specific contributing factors, namely vulnerabilities in the EAS encoder/decoder devices, which allowed hackers to exploit the system and issue fake alerts. The vulnerabilities were identified by security researchers like Ken Pyle, and the incident was demonstrated as a proof of concept at a conference. Additionally, the article mentions that the vulnerabilities have not been patched for several years, indicating that the failure was not permanent but rather a result of specific circumstances [131024].
Behaviour	omission, value, other	(a) crash: The software failure incident in the article is not described as a crash where the system loses state and does not perform any of its intended functions [131024]. (b) omission: The software failure incident in the article is related to a vulnerability in the Emergency Alert System that could allow an actor to issue fake alerts over radio and TV stations, indicating an omission in performing its intended functions correctly [131024]. (c) timing: The software failure incident in the article does not involve timing issues where the system performs its intended functions too late or too early [131024]. (d) value: The software failure incident in the article is related to a software flaw that allows unauthorized actors to issue fake alerts over the Emergency Alert System, leading to the system performing its intended functions incorrectly [131024]. (e) byzantine: The software failure incident in the article does not exhibit byzantine behavior with inconsistent responses and interactions [131024]. (f) other: The software failure incident in the article involves a security vulnerability in the Emergency Alert System that could be exploited by hackers to issue fake alerts, potentially leading to unauthorized access, exploitation of web servers, and sending of crafted messages [131024].

IoT System Layer

Layer	Option	Rationale
Perception	sensor	(a) sensor: The software failure incident reported in Article 131024 is related to the perception layer of the cyber physical system that failed due to contributing factors introduced by sensor error. The vulnerability in the Emergency Alert System (EAS) encoder/decoder devices, specifically the Monroe Electronics R189 One-Net DASDEC EAS, allowed hackers to exploit the system and issue fake warnings over radio and TV stations [131024]. The security researcher, Ken Pyle, identified multiple vulnerabilities and issues in the sensor (EAS encoder/decoder devices) that hadn't been patched for several years, leading to a significant flaw in the system. This flaw in the sensor component of the system enabled unauthorized access and manipulation of the emergency alerts, demonstrating a failure in the sensor's functionality within the cyber physical system [131024].
Communication	link_level	The software failure incident reported in Article 131024 is related to the communication layer of the cyber physical system that failed. The vulnerability in the Emergency Alert System (EAS) encoder/decoder devices allowed hackers to exploit a software flaw to issue fake warnings over radio and TV stations. This flaw in the EAS encoder/decoder devices, specifically the Monroe Electronics R189 One-Net DASDEC EAS, which is a type of emergency alert system encoder and decoder, was identified as a significant issue that hadn't been patched for several years, leading to a critical flaw in the system [131024]. This indicates that the failure was at the link_level, involving the physical layer of communication.
Application	TRUE	The software failure incident described in Article 131024 is related to the application layer of the cyber physical system. The incident involves a software flaw in the Emergency Alert System (EAS) encoder/decoder devices that could be exploited by hackers to issue fake warnings over radio and TV stations. The vulnerabilities in the Monroe Electronics R189 One-Net DASDEC EAS, which is a type of emergency alert system encoder and decoder, have not been patched for several years, leading to a significant flaw that allows unauthorized access and manipulation of the system. This aligns with the definition of an application layer failure caused by bugs, unhandled exceptions, and incorrect usage [131024].

Other Details

Category	Option	Rationale
Consequence	theoretical_consequence	The consequence of the software failure incident described in the articles is primarily related to potential harm and theoretical consequences: - Theoretical_consequence: The software flaw in the Emergency Alert System could potentially allow hackers to issue fake warnings over radio and TV stations, which could lead to misinformation and panic among the public [131024]. - Theoretical_consequence: The vulnerabilities in the EAS encoder/decoder devices, if exploited, could allow an actor to issue EAS alerts over the host infrastructure, potentially causing confusion and disruption in emergency communication systems [131024]. - Theoretical_consequence: The researcher who demonstrated the exploit mentioned that after successful exploitation, they could obtain access to credentials, certificates, devices, exploit the web server, send fake alerts, and even lock legitimate users out, potentially disrupting the emergency alert system [131024].
Domain	information, utilities, government	(a) The failed system in this incident is related to the production and distribution of information. The software flaw in the Emergency Alert System (EAS) allowed hackers to issue fake warnings over radio and TV stations, impacting the dissemination of crucial information to citizens in case of emergencies [131024]. The EAS is a national public warning system that enables the delivery of critical information to the public in the event of federal or local emergencies, such as weather events, threats to public safety, or AMBER alerts, through various communication channels like radio, TV, and text messages. (g) The failed system also has implications for utilities as it involves the transmission of emergency alerts over broadcast, cable, and satellite TV, as well as radio channels, to reach a wide audience during emergencies [131024]. (l) Additionally, the incident has significant implications for government operations as the EAS is a tool used by federal, state, and local officials to communicate vital information to the public during emergencies. The U.S. Department of Homeland Security and FEMA were involved in addressing the software vulnerability in the EAS to prevent malicious exploitation by hackers [131024].

Sources

Software flaw could let hackers take over US emergency alert system and broadcast FAKE warnings - Daily Mail - Published on: 2022-08-08
Article ID: 131024

Back to List