Some key parts of the Emergency Alert System are vulnerable to hacking, according to a report from security research firm IOActive. The EAS, which replaced the old Emergency Broadcast System and can now be utilized to send alerts to phones as well as television stations, uses direct digital and analog communication that involves local application servers called decoders. At least two of these, the DASDEC-I and the DASDEC-II, are reportedly vulnerable because the manufacturer made firmware images that included a "root privileged SSH key" publicly available. That's enough for hackers to gain total access to these decoders and then shut them down or send out fake emergency messages.
The news comes a few months after a local EAS system was hacked to send out a fake warning about a zombie attack. KRTV in Montana was the victim of that attack, which came about because the system administrator didn't change the default password on the station's decoder. The US Cyber Emergency Response Team has also issued an alert about this more recent vulnerability and reminded EAS admins to change their default passwords. IOActive told Wired that it only issued its warning after contacting the manufacturer of the affected systems and that a fix has already been released.