Feeds

US Emergency Alert System open to hack attack

Security and encryption 'not primary design criteria'

  • alert
  • submit to reddit

3 Big data security analytics techniques

The US Emergency Alert System (EAS) that lets officials instantly interrupt radio and TV broadcasts to provide emergency information in a crisis suffers from security holes that leave it vulnerable to denial of service attacks, and could even permit hackers to issue their own false regional alerts, federal regulators acknowledged Thursday.

"Security and encryption were not the primary design criteria when EAS was developed and initially implemented," the Federal Communications Commission (FCC) wrote in a public notice launching a review of the system. "Now, however, emergency managers are becoming more aware of potential vulnerabilities within the system. For example, the complete EAS protocol is a matter of public record and potentially subject to malicious activations or interference."

The EAS was launched in 1997 to replace the cold-war era Emergency Broadcast System known best for making the phrase "this is only a test" a cultural touchstone. Like that earlier system, the EAS is designed to allow the President to interrupt television and radio programming and speak directly to the American people in the event of an impending nuclear war, or a similarly extreme national emergency. The system has never been activated for that purpose, but state and local officials have found it a valuable channel for warning the public of regional emergencies, including the "Amber Alerts" credited with the recovery of 150 abducted children.

Despite its regional successes, the EAS is increasingly under fire by critics who charge that its national mission is obsolete in an era of instant 24-hour news coverage, and who deride its quaint reliance on analog radio and broadcast and cable television. On Thursday, the FCC responded by opening a formal review of the EAS, beginning a public comment period on how the network might be improved. One of the issues the FCC is probing is the security of the system.

As first reported by SecurityFocus nearly two years ago, the EAS was built without basic authentication mechanisms, and is activated locally by unencrypted low-speed modem transmissions over public airwaves. That places radio and television broadcasters and cable TV companies at risk of being fooled by spoofers with a little technical know-how and some off-the-shelf electronic components. Under FCC regulations, unattended stations must automatically interrupt their broadcasts to forward alerts, making it possible for even blatantly false information to be forwarded without first passing human inspection.

The FCC's review follows a detailed report on the EAS produced by the non-profit Partnership for Public Warning (PPW) in February, which noted that "EAS security is now very much an issue."

"Since attacks involving chemical or biological weapons are likely to require use of the EAS system to provide official alert information to the public, it is possible that an attacker could decide to cripple the EAS or use it to spread damaging disinformation," reads the PPW report.

With Thursday's Notice of Proposed Rulemaking, the FCC acknowledged the vulnerabilities "could be exploited during times of heightened public anxiety and uncertainty" to distribute false information to the public, or that alternatively the "EAS signal could be subject to jamming."

Among the questions the FCC is pondering: how best to protect broadcasters from legal liability if they inadvertently rebroadcast a false EAS message; who should be responsible for system security; how can the authenticity of EAS messages be verified; and "what security standards, if any, should be implemented?"

"The Commission must now buckle down and do what it is we are asking state and local officials to do - assess vulnerabilities, create a plan for better service, and review and update that plan as communications technologies evolve," said commissioner Jonathan Adelstein in a statement.

There are no reported cases of the EAS vulnerabilities being exploited, and the PPW report concludes that the potential consequences of spoofing attacks are limited. "Research into the behavior of warning recipients suggests that a single false alarm, without corroboration from other credible sources, generally elicits only limited reaction from the public."

Copyright © 2004, 0

Related stories

Los Alamos and the missing discs that never were
Al-Qaeda computer geek nearly overthrew US
FBI publishes computer crime and security stats

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.