How to Hijack the Emergency Alert System with $30 of Hardware

TLDR: The Emergency Alert System (EAS) relies on the legacy Specific Area Message Encoding (SAME) protocol, which lacks any form of cryptographic authentication or origin verification. By using an RTL-SDR dongle and multimon-ng, researchers can easily craft and broadcast unauthorized emergency alerts that trigger receivers across a wide area. This research highlights the critical danger of relying on unauthenticated, clear-text protocols for national-level public safety infrastructure.

Emergency alert systems are designed to be the ultimate fail-safe. When a disaster strikes, the public expects these systems to be the most reliable source of information. However, the underlying technology powering these alerts is often decades old, built on assumptions of trust that no longer exist in the modern threat landscape. The Specific Area Message Encoding (SAME) protocol, which dictates how these alerts are formatted and transmitted, is fundamentally broken by design. It lacks any mechanism to verify the sender, meaning any device capable of transmitting on the correct frequency can inject arbitrary alerts into the system.

The Mechanics of a Spoofed Alert

The SAME protocol is essentially a digital burst of data transmitted using Audio Frequency-Shift Keying (AFSK). Because the protocol was developed in an era where radio equipment was expensive and specialized, the designers never implemented digital signatures or authentication. The structure of a SAME message is straightforward: a header, an optional voice message, and an end-of-message signal.

The header is the most critical component. It contains the originator code, the event type, the geographic area code, and the expiration time. Because these fields are transmitted in plain text, an attacker can use a simple software-defined radio (SDR) setup to generate a valid-looking alert. The process involves:

1. Crafting the header string (e.g., ZCZC-ORG-EEE-PSSCCC-PSSCCC-TTTT-JJJHHMM-LLLLLLLL-).
2. Encoding this string into an AFSK-modulated WAV file.
3. Broadcasting the audio over the target frequency (typically in the VHF band around 162 MHz).

Tools like multimon-ng make this trivial. A pentester can use this tool to decode existing traffic to understand the local alert structure and then use a Python script to generate a custom, malicious payload. The lack of error correction in the protocol means that if the signal is strong enough, the receiver will process the spoofed alert as legitimate, triggering sirens, text displays, or radio interruptions.

Why This Matters for Pentesters

For a security researcher or pentester, the risk here isn't just theoretical. Many commercial and government-owned buildings, schools, and critical infrastructure facilities have dedicated SAME receivers installed to comply with safety regulations. These devices are often "set and forget." They sit in a rack, connected to an antenna, waiting for a specific tone sequence.

If you are performing a physical security assessment or a red team engagement, identifying these receivers is a low-hanging fruit. A successful injection of a fake alert can cause mass panic, disrupt operations, or force an unnecessary evacuation. The impact is immediate and highly visible. Furthermore, because the protocol is a standard, the same attack vector works across different vendors. You don't need to find a zero-day in a specific device; you are exploiting a flaw in the protocol itself.

The Defensive Reality

Defending against this is notoriously difficult because the vulnerability is baked into the standard. You cannot simply "patch" the SAME protocol without breaking compatibility with every legacy receiver in the field.

Blue teams and facility managers should focus on physical security and signal monitoring. If you manage a facility with an EAS receiver, ensure the antenna feed is secure and not easily accessible. Additionally, modern receivers should be configured to ignore alerts that do not originate from trusted, verified sources if the hardware supports such filtering. However, the most effective defense is moving away from these legacy, unauthenticated radio protocols toward modern, encrypted alternatives like the Common Alerting Protocol (CAP), which provides a standardized, XML-based framework that supports digital signatures and better security controls.

Moving Beyond Legacy Infrastructure

The reliance on unauthenticated, clear-text protocols for critical public safety is a systemic failure. While the simplicity of the SAME protocol was an asset in the 1980s, it is a massive liability today. As researchers, we need to continue pushing for the adoption of secure, authenticated alerting standards.

If you are interested in exploring this further, start by setting up an RTL-SDR and using SDR++ to monitor your local VHF bands. You will likely be surprised by how much unencrypted, sensitive, or critical data is being broadcast in the clear. The next time you see an emergency alert, consider the fact that the "small packet of bits" delivering that message is likely traveling through the airwaves without a single line of code verifying who sent it. That is the reality of our current infrastructure, and it is a problem that requires more than just a software update to fix.