REC LPFM Advisory Letter #15 - EAS Vulnerability, especially in DASDEC versions other than 4.x and 5.x

The following information is from the Society of Broadcast Engineers (SBE).  REC's additional comments are in bold.

On Aug. 1, 2022, The Federal Emergency Management Agency (FEMA) released an IPAWS advisory noting a vulnerability in the Emergency Alert System (EAS). EAS encoder/decoders that have not been updated to the most recent software versions, could allow unauthorized access to issue EAS alerts. 

The vulnerability is public knowledge and will be demonstrated to a large public audience in the coming weeks at a trade convention.

FEMA strongly encourages EAS participants to ensure that:
1. EAS devices and supporting systems are up to date with the most recent software versions and security patches;
2. EAS devices are protected by a firewall;
3. EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.

CNN reports that the issue is specific to Monroe DASDEC units. The Indiana Association of Broadcasters (IAB) has confirmed this with FEMA and the NAB.

The IAB notes that this vulnerability is not new. It was first reported in 2013 during the so-called zombie attacks, however, it appears that the security patch provided by Monroe at the time did not completely resolve the problem. Several software updates have been issued since then, and stations that have updated to version 4.0 or higher are secure. However, any device that has not been updated to version 4.0 or 5.X remains vulnerable. The cybersecurity researcher referenced in the CNN article was apparently able to identify a number of EAS devices that could be hacked. He is apparently planning to share his finding at a public conference on Aug. 11-14.

REC is aware that some LPFM stations may be operating a DASDEC EAS with version 3.x.  It is very important that you consider making the upgrade to version 4.x.  This is not a sales pitch.  This is a serious issue.  We are not aware if Monroe will be making an emergency patch for 3.x users, so the most prudent thing for LPFM stations that are on DASDEC II version 3.x or earlier is to upgrade to version 4.x if their equipment is compatible (DASDECs of earlier than 2014 vintage may have a hardware incompatibility).   

For more information on the software upgrade for DASDEC units only, visit:
https://www.digitalalertsystems.com/EAS_DAS/V4_software.html

Regardless of which EAS your station has, you should take the time to determine your current software version and contact your EAS manufacturer to determine if you have the most current version of  your software.   Also, please follow the recommendations above to assure that your EAS is safe from cyberattacks.

EAS manufacturer websites:
https://www.digitalalertsystems.com/
http://www.gorman-redlich.com/
https://www.sagealertingsystems.com/

Receiving REC Advisory Letters by RSS

If you are using newsreader software or certain e-mail clients such as Mozilla Thunderbird, you can set it up to receive these bulletins as an RSS news feed.  The feed URL is: https://recnet.com/taxonomy/term/76/feed

Original version: August 5, 2022
Updated March 10, 2024 to reflect version 5.x from DASDEC.  All stations should be on a 5.X version in order to comply with the new CAP Polling requirements.