These devices are trivially discoverable on shodan by searching various manufacturer and model names, often reporting Apache versions known to have serious vulnerabilities right in the http header. The names of the entities hosting them are often listed as radio and TV stations in the middle of nowhere, who probably don't have the best cybersecurity practices.
If basic cybersecurity practices aren't a mandatory part of EAS policy compliance - like, keeping things up to date, designing equipment not to report software component versions, keeping these devices off the Internet unless there is a compelling reason - that's probably the first thing the FCC can do to fix it. Radio and television broadcasters are all required to have functional EAS equipment that is tested in the field weekly and monthly. Running a 20-odd-year-old box without security updates actively maintained by the manufacturer should be considered as serious a policy violation as simply not plugging it in.
Want a national divorce? Here's an easy way to accomplish it: on election day or thereabouts, hack the emergency alert system and transmit an alert stating that $POWERFUL_ACTOR has declared that anyone voting for $OPPOSING_PARTY will be subject to $FORM_OF_GOVERNMENT_VIOLENCE.
The only questions are when, not if, this happens; and on what scale.
These devices are trivially discoverable on shodan by searching various manufacturer and model names, often reporting Apache versions known to have serious vulnerabilities right in the http header. The names of the entities hosting them are often listed as radio and TV stations in the middle of nowhere, who probably don't have the best cybersecurity practices.
If basic cybersecurity practices aren't a mandatory part of EAS policy compliance - like, keeping things up to date, designing equipment not to report software component versions, keeping these devices off the Internet unless there is a compelling reason - that's probably the first thing the FCC can do to fix it. Radio and television broadcasters are all required to have functional EAS equipment that is tested in the field weekly and monthly. Running a 20-odd-year-old box without security updates actively maintained by the manufacturer should be considered as serious a policy violation as simply not plugging it in.