On November 23, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued an Advisory on security vulnerabilities in DASDEC EAS encoder/decoder devices sold by Digital Alert Systems (formerly Monroe Electronics). CISA warns that DASDEC software prior to version 4.1 contains a cross-site scripting (XSS) vulnerability that allows remote attackers to run code on the devices. CISA also warns that all DASDEC software contains an XSS vulnerability via the Host Header that can be used by remote attackers after login.

The Public Safety and Homeland Security Bureau (PSHSB or Bureau) of the Federal Communications Commission advises all EAS Participants that use DASDEC devices to immediately take the following steps recommended by CISA to protect their systems from cyberattacks:

• Patch their DASDEC equipment to the latest version.
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

The Bureau also urges EAS Participants to take additional steps to improve their cyber hygiene as described in its August 5, 2022 Public Notice.

Under the FCC’s rules, EAS Participants are responsible for ensuring that EAS equipment is installed so that the monitoring and transmitting functions are available during the times the stations and systems are in operation. Failure to receive or transmit EAS messages during national tests or actual emergencies because of an equipment failure may subject the EAS Participant to enforcement.