A major vulnerability has been discovered in the US Emergency Alert System that could allow hackers to break into the system and broadcast fake messages to the United States, according to a new report by security firm IOActive.
The firm listed the severity of the vulnerability as “critical.”
The report states that a hacker who gains control over one or more of the system’s servers could “disrupt these stations’ ability to transmit and could disseminate false emergency information over a large geographic area.”
The issue was detected in several programs that run the alert system, including DASDEC-I, DASDEC-II, and other DAS Linux-based platforms.
Mashable reported that when a recent firmware update was pushed to the programs, it included a private secure shell (SSH), which grants remote access to a server to get “root access.”
Hackers can manipulate any system function from there.
The IOActive report stated the following:
The United States Emergency Alert System (EAS) in 1997 replaced the older and better known Emergency Broadcast System (EBS) used to deliver local or national emergency information. The EAS is designed to “enable the President of the United States to speak to the United States within 10 minutes” after a disaster occurs.
Mashable continued on to say:
These alerts were passed among stations using wire services, which connected to television and radio stations around the U.S. When a station received an official notification, it would disrupt the current broadcast to deliver the message to the public.
The report continues on to say that the new system also allows the president to do the same, but it has never been used on a national scale since its launch 16 years ago. Now, it is most often used for tornado, hurricane and other local alerts.
According to Mashable.com, this news comes several months after a security breach at the Montana-based TV station KRTV, where hackers transmitted a fake Emergency Alert System notice about zombies.
“Bodies of the dead are rising from their graves,” a man’s voice said during the fake alert.
IOActive say that in order to correct the issue, the Digital Alert System “needs to re-evaluate their firmware and push updates to all appliances to resolve these issues,” which should correct any vulnerability in the US Emergency Alert System.
[Image via Shutterstock/Jim Barber]