The United States Emergency Alert System (EAS) has “critical vulnerabilities” according to a recent review by IOActive, a security firm. The ability of the federal government to warn citizens about man-made and natural disasters is key to the survival of the populace.
Despite the importance of a secure and fully functional Emergency Alert System, it is really not surprising that the warning measures have become severely vulnerable. One just has to look at the state of the power grid to grasp the lack of attention the Obama administration has paid to life-saving infrastructure. The SHIELD Act, which was drafted to finally address the matter and the concerns voiced by members of the EMP commission, is stalled because the Energy and Commerce Committee chairman has not seen fit to schedule hearings on the bill.
The IOActive Emergency Alert System report stated that cyber hackers could sneak into the system and broadcast fake warning messages to American citizens.
An excerpt from the report reads:
“A hacker who gains control over one or more of the system’s servers could disrupt these stations’ ability to transmit and could disseminate false emergency information over a large geographic area.”
The panic and civil unrest which could easily result from a fake emergency alert could cost an untold number of lives. Image the reaction in a major metropolitan area if an Emergency Alert System warning stated a terrorism attack with a ricin or a dirty bomb had occurred. Before local law enforcement could confirm the terror alert was fake and attempt to share such information with citizens, thousands would have clogged the streets attempting to escape the city. Hospitals, schools, and assisted living centers would likely enact emergency protocols within seconds of an emergency alert, creating further chaos and the unnecessary movement of severely ill individuals.
IOActive discovered the critical vulnerabilities in the Emergency Alert System in multiple programs which include the DASDEC-II, DASDEC-I, and other Linux-based DAS computer platforms. A Mashable report stated that when a firmware update occurred recently a Private Secure Shell (SSH) that allows remote access to a server in order to garner root access.
The IOActive report also stated:
“DASDEC is one of a small number of application servers that now fill the role of delivering emergency messages to television and radio stations. DASDEC encoder/decoders receive and authenticate EAS messages delivered over the National Oceanic and Atmospheric Administration radio or relayed by a Common Alerting Protocol (CAP) messaging peer. After a station authenticates an EAS message, the DASDEC server interrupts the regular broadcast and relays the message onto the broadcast preceded and followed by alert tones that include some information about the event.
All the computer jargon may be difficult for many of us non-techies to grasp, but it surely does not sound good. The bottom line of the issue surrounds the ability for hackers to manipulate alert systems functions remotely.
The Emergency Broadcast System (EBS) was replaced with the existing EAS system in 1997. The original alert system was designed to share both local and nationwide emergency or disaster information. The current alert system was created to allow the president to address the entire country as quickly as 10 minutes after an emergency scenario is discovered.
Emergency Broadcast System alerts were shared via wire services. Radio and television stations around the nation received the information from an official government source, and then the details were shared with the general public. The current EAS system is designed to function in the same manner, with the addition of direct presidential sharing ability. Unfortunately, not a single Oval Office holder has attempted to use the modern system since it was put into place nearly 20 years ago. Whether or not the system will function as planned on a national scale remains largely unknown. The EAS is primarily used to share local alerts and information about tornado and hurricane movements.
IOActive advised the administration to correct the issue by re-evaluating existing firmware and by pushing all updates to all the system “appliances” to fix the critical vulnerability issue.
The IOActive Emergency Alert System report comes on the heels of a successful hacking attempt at the KRTV station in Montana. Cyber hackers were able to transmit a false EAS release about zombies. The fake alert quickly went viral, prompting chuckles from many—but the grins would surely disappear quickly if hackers tried again with a more realistic alert.
The EAS vulnerability report was concerning enough on its own, but since perhaps the least organized federal agency in America controls the system, more red flags are raised. Yes, you guessed it, FEMA is in charge. To date, the Federal Emergency Management Agency has yet to respond to media requests for comments about the ability of cyber hackers to issue fake alerts over television and radio waves.
Although it would take a very twisted mind, a cyber hacker could impact the movements and actions of Americans during a true disaster by sending out false instructions over the EAS system. A coordinated effort among terrorists to first enact a man-made disaster and then send out a fake alert which actually sends citizens running towards danger would allow a higher death toll.
Imagine, for a moment, a scenario similar to the tragic Boston Marathon bombing. After pressure cooker bombs go off, emergency responders and heroic citizens rush in to help, while a massive crowd attempts to quickly exit the area. A fake EAS alert authored by cyber hacking terrorists instructs residents to assemble in a specific area or at soft-targets for shelter. Before local officials have time to digest the misinformation during the emergency, additional bombs go off in the supposed shelter areas. The carnage which would occur would not only kill innocent people, but first responders attempting to redirect the marauding crowds and correct the misinformation.
Hacking into the EAS system would take advanced computer skills right? Wrong. According to a ZDnet report, the SSH key allows any person with limited knowledge to gain access to the system at the root server level and manipulate system functions.
What do you think about the IOActive Emergency Alert System critical vulnerabilities report?