SecureMac, Inc.

Checklist 292: This is (Probably) a Test

August 18, 2022

This week we discuss an alert about the Emergency Alert System, Apple issues small updates with big security fixes, and finally questionable thief leaves the luggage, takes the AirTag.

Checklist 292: This is (Probably) a Test

On this week’s Checklist podcast:

  • Hacking the Emergency Alert System
  • Small Apple update, big Apple fixes
  • AirTag to the rescue

EAS pwn?

The Emergency Alert System (EAS) is a national public warning system in the United States. It can be used by the federal government or local authorities to share information with the public in an emergency. 

Bleeping Computer explains how the system works:

EAS alerts are delivered via IPAWS [Integrated Public Alert and Warning System] through multiple communication channels simultaneously, including AM, FM, and satellite radio, as well as broadcast, cable, and satellite TV, to reach as many people as possible.

They can also interrupt radio and television programming to broadcast emergency alert information and can be delivered as text messages with or without audio attachments.

If you’ve ever heard the screeching electronic tones that precede an EAS alert, you know that it’s almost impossible to ignore. (If you haven’t heard the sound before, and for some strange reason you want to, here’s the Wikipedia .ogg file).

The EAS is, obviously, pretty important in an emergency. And that’s why an August bulletin put out by the Federal Emergency Management Agency (FEMA) is so alarming.

According to FEMA, there are: 

…certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network).

Translation? Bad guys could hack a vulnerable device and use it to send out fake alerts to an unsuspecting public.

Weaponizing the EAS

The vulnerability of a particular EAS unit — the Monroe Electronics R189 One-Net DASDEC EAS device — was demonstrated by security researcher Ken Pyle last week.

Pyle told the media that a bad actor could exploit the vulnerability to hijack the EAS system, interrupt a public broadcast, and send out a fraudulent alert message.

That message might contain instructions to go to a malicious website — or it could simply be a way to cause panic.

FEMA has advised all broadcast outlets with a vulnerable EAS device to update their unit’s software in order to receive the security patch. They also recommend that anyone using an EAS unit protect it with firewalls and regular security log audits.

As for the rest of us (i.e., people who don’t work at a radio or TV station), the best advice is to double-check EAS broadcasts to confirm their validity. For example, if you see an emergency alert on your TV, confirm it by tuning your radio dial to your local NPR station. If a bad actor somehow managed to compromise a TV station’s EAS unit, it’s highly unlikely that they would also have hacked the one at the radio station. The fact that you’re hearing the alert in both places means that it’s most likely real.

Apple security patches

Apple has issued a few updates for iOS, iPadOS, and macOS. And although this is just a “minor” round of updates, the potential security impact is fairly significant.

iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 all address the same two CVE vulnerabilities. The first is a kernel issue that could lead to arbitrary code execution; the second, a WebKit flaw that can allow the same thing to happen. 

Apple says that they are “aware of” reports that the issues may have been exploited in the wild — which probably means it’s already happening, reading between the lines a bit. 

As always, when there’s a security patch like this, you should update all relevant devices right away.

AirTag catches a bad guy

We’ve spent a lot of time on The Checklist talking about the potential risks of AirTag, Apple’s personal tracking device for your stuff. But this week, we’re sharing a (sort of) positive AirTag story for once!

According to insider.com, AirTag helped law enforcement catch an airport baggage handler who was stealing passengers’ luggage.

When a victim contacted police with the last known location of the AirTag she’d stowed in her suitcase, the Sheriff’s Office was able to cross-reference that location data with the home address of an airline employee. 

The authorities paid the 19-year-old man a visit at his home. He admitted to going through the victim’s bag…and that of another passenger. All told, the police recovered over $15,000 worth of stolen property from the thief.

It’s a good lesson about how AirTag users should handle a suspected theft — and for once, a nice story about someone using AirTag as intended! 

Get the latest security news and deals