Last week, both the FCC and FEMA issued notices to broadcasters, cable and other EAS participants that there was a vulnerability in the EAS technologies that could make those systems subject to hacking, potentially allowing bad actors to send out messages to the public using the alerting system (see FCC notice here and FEMA notice here). As we wrote in our weekly update this past weekend, these federal agencies urge EAS participants to update their EAS devices with the latest software and security patches, change default passwords, make sure that their systems are behind a firewall, and review audit logs regularly to make sure that there has been no unauthorized access. The FEMA notice indicates that the security issue will become public at a tech conference in Las Vegas later this week, so it urges all EAS participants to move quickly to secure their systems.
This is not the first time that broadcasters have discovered that their security systems can be hacked. In 2013, we wrote about another intrusion into EAS, where hackers were able to take over the EAS alerting capacity of some TV stations to broadcast a warning of an alleged impending zombie attack. The FCC earlier this year warned of security concerns, fearing international tensions could result in the hacking of US broadcast stations (see our article here). There was even an incident about 5 years ago, where hackers were able to exploit a security flaw in certain stations studio-transmitter links that were connected to the internet, where hackers were able to gain access to stations transmitter controls and to broadcast content from an internet programming stream that was not appropriate for over-the-air content. These instances all highlight the need for broadcasters to be vigilant in protecting their over-the-air programming from unauthorized access in today’s world where there are always those looking to exploit security flaws to show their technical skill, or to do far worse. And remember, the FCC now requires EAS participants to alert the FCC within 24 hours of transmitting a false EAS alert to the public (see our post here). So assess your EAS systems now to mitigate any security concerns.