Incident Details

Incident: Vulnerabilities in Emergency Alert System Software Allow Fake Messages Broadcasting

Published Date: 2022-08-03

Postmortem Analysis
Timeline	1. The software failure incident regarding vulnerabilities in the Emergency Alert System (EAS) devices was reported on August 3, 2022, as per Article 131240.
System	1. Emergency Alert System (EAS) devices running unpatched and unsecured software [131240]
Responsible Organization	1. The vulnerabilities in the emergency alert system software were caused by the unpatched and unsecured EAS devices, as highlighted by the cybersecurity researcher Ken Pyle [131240]. 2. Digital Alert Systems, Inc., the firm that makes the emergency-alert software, was also responsible for the software failure incident as subsequent versions of their software were still susceptible to security issues despite issuing updates to address the initial problems [131240].
Impacted Organization	1. TV and radio networks around the country [131240] 2. Federal Emergency Management Agency (FEMA) [131240]
Software Causes	1. Vulnerabilities in the Emergency Alert System (EAS) software used by TV and radio networks to transmit emergency alerts allowed hackers to broadcast fake messages [131240]. 2. Poor security controls in the EAS devices, including unpatched and unsecured devices running vulnerable software [131240]. 3. Subsequent versions of the Digital Alert Systems software were still susceptible to security issues despite issuing updated software in response to the initial report [131240].
Non-software Causes	1. Lack of proper security controls on the EAS devices [131240] 2. Breakdown of law enforcement communications before the January 6, 2021, attack on the US Capitol [131240] 3. Misuse of emergency alerts by an employee of the Hawaii Emergency Management Agency in 2018 [131240]
Impacts	1. The software vulnerability in the Emergency Alert System devices could allow a hacker to broadcast fake messages over the alert system, potentially causing panic and confusion among the public [131240]. 2. The breakdown in law enforcement communications before the January 6, 2021, attack on the US Capitol highlighted the critical infrastructure problem related to the security of communication systems, emphasizing the need for improved software security measures [131240].
Preventions	1. Regular software updates and patching: The vulnerability in the emergency alert system software could have been prevented if operators of the devices had regularly updated their software to address security issues [131240]. 2. Stronger security controls: Implementing robust security controls in the software could have prevented the exploitation of vulnerabilities by hackers [131240]. 3. Thorough security testing: Conducting comprehensive security testing of the software before deployment could have helped identify and address potential vulnerabilities [131240]. 4. User awareness and training: Educating users on the importance of software updates, security best practices, and how to recognize and respond to potential security threats could have helped prevent the incident [131240].
Fixes	1. Updating the software on the Emergency Alert System (EAS) devices to address the vulnerabilities is crucial to fix the software failure incident [131240]. 2. Ensuring that the EAS devices have proper security controls in place to prevent unauthorized access and fake alerts from being broadcasted [131240]. 3. Regularly examining future software releases for any reported security issues and promptly issuing updates to mitigate potential vulnerabilities [131240]. 4. Implementing additional security measures such as firewall protection for the EAS devices to further enhance their security posture [131240].
References	1. Federal Emergency Management Agency official [131240] 2. Mark Lucero, chief engineer for Integrated Public Alert & Warning System [131240] 3. Ken Pyle, cybersecurity researcher [131240] 4. Digital Alert Systems, Inc. [131240] 5. Ed Czarnecki, Digital Alert Systems’ vice president of global and government affairs [131240]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident related to vulnerabilities in the emergency alert system software has happened again within the same organization. The article mentions that the cybersecurity researcher, Ken Pyle, discovered the issue and reported it to Digital Alert Systems, Inc. in 2019. Despite the firm issuing updated software to address the problem, subsequent versions of the software were still susceptible to some security issues identified by Pyle [131240]. (b) The software failure incident related to vulnerabilities in the emergency alert system software has also happened at multiple organizations. The article mentions that the cybersecurity researcher, Ken Pyle, will be demonstrating his research at DEF CON, a hacking conference, indicating that the issue is not limited to a single organization but is a broader concern for the industry [131240].
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase is evident in the vulnerabilities found in the Emergency Alert System (EAS) devices used by TV and radio networks to transmit emergency alerts. A cybersecurity researcher discovered unpatched and unsecured EAS devices, indicating a design flaw in the software that left them vulnerable to potential hacking. The firm responsible for the emergency-alert software, Digital Alert Systems, issued software updates in response to the initial report of vulnerabilities in 2019 but subsequent versions still had security issues [131240]. (b) The software failure incident related to the operation phase is highlighted by the potential for hackers to exploit the vulnerabilities in the EAS devices to broadcast fake emergency messages over TV, radio, and cable networks. The misuse of these emergency alerts could lead to panic among the public, emphasizing the operational impact of such a software failure incident [131240].
Boundary (Internal/External)	within_system	(a) within_system: The software failure incident related to vulnerabilities in the Emergency Alert System (EAS) devices that are used by TV and radio networks to transmit emergency alerts was primarily due to contributing factors originating from within the system itself. The vulnerabilities in the software allowed for potential exploitation by hackers to broadcast fake messages over the alert system. The cybersecurity researcher who discovered the issue found poor security controls within the EAS devices and shared an example of a fake alert that he crafted but did not send [131240]. Additionally, the firm responsible for the emergency-alert software, Digital Alert Systems, Inc., issued updated software in response to the initial report of vulnerabilities in 2019, but subsequent versions of the software were still susceptible to security issues [131240]. This indicates that the software itself had inherent vulnerabilities that were not fully addressed in subsequent updates.
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in the article was primarily due to non-human actions, specifically vulnerabilities in the software used by TV and radio networks to transmit emergency alerts. These vulnerabilities could allow a hacker to broadcast fake messages over the alert system, potentially causing panic and misinformation [131240]. (b) However, human actions also played a role in this software failure incident. The cybersecurity researcher, Ken Pyle, discovered the vulnerabilities in the Emergency Alert System devices and shared compelling evidence with FEMA. Additionally, the firm that makes the emergency-alert software, Digital Alert Systems, was informed about the security issues by Pyle in 2019 but subsequent versions of the software still had vulnerabilities [131240].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident mentioned in the article is related to vulnerabilities in the software used by TV and radio networks to transmit emergency alerts. The vulnerabilities could allow a hacker to broadcast fake messages over the alert system, indicating a failure due to contributing factors that originate in hardware [131240]. (b) The software failure incident is also directly related to software vulnerabilities in the Emergency Alert System (EAS) devices. The cybersecurity researcher discovered poor security controls in the software, allowing for the crafting of fake alerts. Despite attempts to address the issues with software updates, subsequent versions of the software remained susceptible to security issues, highlighting a failure due to contributing factors that originate in software [131240].
Objective (Malicious/Non-malicious)	malicious	(a) The objective of the software failure incident was malicious, as it involved vulnerabilities in the software used by TV and radio networks to transmit emergency alerts that could allow a hacker to broadcast fake messages over the alert system. A cybersecurity researcher discovered these vulnerabilities and provided evidence to FEMA, highlighting the potential for false alerts to be issued over TV, radio, and cable networks [131240]. The incident was driven by the intent to exploit the security weaknesses in the system for unauthorized access and manipulation of emergency alert broadcasts.
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) The intent of the software failure incident related to poor decisions can be inferred from the article. The vulnerabilities in the software used by TV and radio networks to transmit emergency alerts were identified by a cybersecurity researcher, Ken Pyle. Pyle discovered poor security controls in the Emergency Alert System (EAS) devices and shared an example of a fake alert he crafted but did not send, declaring a "civil emergency" for certain counties and areas in the US [131240]. (b) The intent of the software failure incident related to accidental decisions can also be seen in the article. Despite the cybersecurity researcher reporting the vulnerabilities to the firm that makes the emergency-alert software in 2019 and the firm issuing updated software to address the issue, subsequent versions of the software were still susceptible to security issues. This indicates that unintentional decisions or mistakes may have led to the failure to fully address the security vulnerabilities in the software [131240].
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident in the article can be attributed to development incompetence. The vulnerabilities in the emergency alert system software were discovered by a cybersecurity researcher, Ken Pyle, who found poor security controls in the EAS devices [131240]. Despite the firm responsible for the software issuing updates to address the issues, subsequent versions of the software were still susceptible to security issues identified by Pyle. This indicates a lack of professional competence in addressing and resolving the security vulnerabilities in the software. (b) The incident can also be categorized as accidental, as there is no evidence that malicious hackers have exploited the vulnerabilities in the software to broadcast fake emergency alerts over TV, radio, and cable networks [131240]. The vulnerabilities were discovered by the cybersecurity researcher during independent testing of the EAS devices, and the potential for false alerts being issued was highlighted as a theoretical possibility rather than an actual occurrence.
Duration	temporary	The software failure incident described in the article is more likely to be temporary rather than permanent. The vulnerabilities in the emergency alert system software were identified by a cybersecurity researcher, Ken Pyle, who provided evidence of the issue to FEMA [131240]. The article mentions that the firm responsible for the software, Digital Alert Systems, issued updated software in response to the initial report of vulnerabilities in 2019. However, subsequent versions of the software were still found to be susceptible to security issues identified by Pyle. This indicates that the software failure was not permanent but rather temporary, as attempts were made to address the vulnerabilities through software updates, albeit with limited success.
Behaviour	other	(a) crash: The software failure incident described in the article does not involve a crash where the system loses state and does not perform any of its intended functions. The vulnerability in the emergency alert system software could potentially allow a hacker to broadcast fake messages over the alert system, indicating that the system is still operational and functioning to some extent [131240]. (b) omission: The software failure incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, the issue lies in the vulnerability that could lead to the broadcasting of fake messages over the alert system, suggesting that the system is still operational but at risk of unauthorized use [131240]. (c) timing: The software failure incident is not related to the system performing its intended functions correctly but too late or too early. The focus is on the vulnerability in the emergency alert system software that could potentially allow fake messages to be broadcast, rather than a timing issue [131240]. (d) value: The software failure incident does not involve the system performing its intended functions incorrectly in terms of the value provided. The issue is with the security vulnerabilities in the software that could lead to unauthorized messages being broadcast, rather than the system providing incorrect information [131240]. (e) byzantine: The software failure incident does not exhibit the behavior of the system behaving erroneously with inconsistent responses and interactions. The vulnerability in the emergency alert system software, while concerning, does not indicate inconsistent responses or interactions within the system itself [131240]. (f) other: The software failure incident involves a security vulnerability in the emergency alert system software that could potentially allow a hacker to broadcast fake messages over the alert system. This behavior falls under the category of a security flaw rather than a specific type of failure behavior listed in options (a) to (e) [131240].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	property, non-human, theoretical_consequence	(a) death: People lost their lives due to the software failure - There is no mention of people losing their lives due to the software failure incident reported in the articles [131240]. (b) harm: People were physically harmed due to the software failure - There is no mention of people being physically harmed due to the software failure incident reported in the articles [131240]. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted due to the software failure incident reported in the articles [131240]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident could potentially impact the transmission of false emergency alerts over TV, radio, and cable networks, causing confusion and panic among the public [131240]. (e) delay: People had to postpone an activity due to the software failure - There is no mention of people having to postpone an activity due to the software failure incident reported in the articles [131240]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident involved vulnerabilities in the software used to transmit emergency alerts, potentially allowing hackers to broadcast fake messages over the alert system [131240]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had the potential to lead to the transmission of false emergency alerts, although there is no mention of actual exploitation of the vulnerabilities by malicious hackers or real observed consequences in the articles [131240]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The potential consequences discussed include the issuance of false alerts over TV, radio, and cable networks, which could create panic among the public [131240]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The articles do not mention any other specific consequences of the software failure incident beyond the potential for issuing false emergency alerts [131240].
Domain	information	(a) The failed system was intended to support the information industry as it involved vulnerabilities in software used by TV and radio networks to transmit emergency alerts [131240].

Sources

FEMA warns emergency alert systems could be hacked to transmit fake messages unless software is updated - CNN - Published on: 2022-08-03
Article ID: 131240

Back to List